Cybersecurity Best Practices for Senior Living Communities

In November 2019, a cyberattack against 110 nursing homes highlighted the industry’s cybersecurity vulnerabilities. Hackers encrypted all data, including patient records, and demanded $14 million in bitcoin to decrypt the data. These nursing homes were cut off from all patient data and forced to handle patient care by pen and paper.

Assisted living centers and nursing homes often have lots of data in their system. Both patient medical records and client payment information are incredibly tempting for hackers and data thieves. Whether the data is encrypted or stolen, it presents a major danger to your facility. Knowing how to ensure cybersecurity is a must for any assisted living center or rest home.

Cybersecurity Threats for Senior Living and Nursing Homes

In 2023, five prominent cyber attacks against healthcare organizations impacted over 43.3 million people. These facts make it abundantly clear that healthcare organizations represent appealing targets for bad actors. Assisted living centers and nursing homes capture and store valuable data like medical records and payment information that attract hackers and data thieves. When that data is exposed or stolen, it presents a major danger to your community, employees and residents. Knowing how to ensure cybersecurity is a must for any assisted living center or rest home.

Cybersecurity Threats for Senior Living and Nursing Homes

While the figures cited above span every type of healthcare organization, adult care communities may be even more vulnerable. These small organizations don’t have the same resources and cybersecurity infrastructure as large medical centers, meaning hackers often find these establishments easier targets.

Cyber threats abound in nursing homes and older adult living centers. Your organization could be vulnerable to these types of cybersecurity breaches:

1. Email Phishing Attacks

Phishing accounts for 31% of the social engineering attacks in a recent Verizon report. Among those, email attacks are responsible for almost 100% of the incidents, meaning they can easily be the source of a long-term care community’s data breach. 

An email phishing scam attempts to trick an email recipient into giving out information. In your workplace, the victim could be you, a colleague or even a long-term care patient. The email will contain a link or file and appear to come from a legitimate source. It may appear to come from a co-worker, manager, the company itself or a vendor. Clicking on the link will take the user to a website soliciting sensitive data. It could also immediately infect the computer with malware.

An example of this could be a fake email appearing to come from the organization’s software provider, asking the user to change their password. Complying with the request may result in compromised patient data.

Business email compromise (BEC) and pretexting are other forms of phishing that healthcare organizations experience. These attacks aim to get the user to complete an action — frequently a financial transaction — or disclose confidential information. These emails often impersonate a trusted co-worker or person in authority, such as an IT team member or organizational leader.

2. Ransomware Attacks

A special type of malware called ransomware blocks users’ access to data through encryption. Criminals essentially take an organization’s data hostage and try to extort a ransom, often in cryptocurrency, to unlock the data. Bad actors often use phishing to initiate ransomware attacks.

While some may think paying the ransom is the easiest solution, this is not the case. Some ransomware destroys or exfiltrates data, meaning it is already gone or in the wrong hands. Paying the ransom doesn’t guarantee the hacker will return your lost data. It often takes as long to decrypt data as it does to restore it from a backup. If a breach occurs, it could take weeks to restore the lost data.

Nursing homes faced with such an incident could face many fallouts. Practitioners won’t be able to read medical charts. Without crucial healthcare data, patients could receive improper care. The facility could also face lawsuits. If patient data is compromised, your organization may need to report the breach to the authorities. In the scramble to document care by paper, crucial information gets forgotten. If certain activities aren’t properly documented, they can’t be reimbursed. A two-week system outage could cost your facility thousands in revenue.

3. Equipment Theft or Loss

People have their phones or laptops stolen often. Whether these devices are left in a ride-share vehicle or swiped from a coffee shop, the sensitive data they contain can be compromised. Any medical charts or patient billing information accessed from a personal device can end up in the wrong hands after theft. 

Another way theft can compromise your data is when it occurs from the inside. An employee with malicious intent may steal company computers or even connected medical devices. Whether they attempt to sell the equipment or the data within, sensitive medical information is jeopardized. Lost company equipment can also slow down productivity.

4. Data Loss

Insider threats were the cause of 31% of data breaches in 2023. Employees can cause data loss due to honest mistakes and intentional theft. A procedural error, such as forgetting to hit save, is a common cause of data loss. Falling for a phishing scam can also result in accidental data exposure.

Insecure communications and compromised personal devices are other frequent risk factors for data loss. As your team cares for your residents, quickly communicating with others is often critical. The rise of connected devices has made that faster and simpler than ever but also increased the risk of hacking. For example, two staff members may use text messages to discuss a resident’s needs, medications or other details. If these communications run through public networks or personally owned devices that have been compromised, they’re far easier for bad actors to access.

An employee, contractor or another individual with access to the company network can also cause a malicious data loss. They may steal data for personal gain or to harm the organization or an individual, such as a patient or co-worker. An employee may inappropriately view patient information without even physically stealing it.

Consequences of data loss can include:

• Incorrect medical records that lead to treatment or medication errors
• Mandated reporting to regulatory agencies
• Financial loss to residents or employees if banking information was involved
• Identity theft
• Monetary and reputational damage to your community

Cybersecurity Practices to Protect Your Data

Implementing a few cybersecurity tips throughout your company network can protect your business, employees and residents. Here’s how to protect yourself through cybersecurity:

1. Email Protection

Email phishing is threatening because it’s surprisingly easy to fall for. An email from a carefully chosen address and a link to a smartly designed website has a high chance of fooling someone. Also, phishing emails often go out to a large batch of people, and only one needs to click on it to cause a breach. Some are even disguised to look like they come from the CEO. Ignoring a request from such a high authority goes against many people’s best instincts.

Some basic email filtering can prevent phishing scams from reaching your inboxes. These systems test out links and messages to block malicious communications from ever reaching your inbox. Protection systems are so effective at mitigating phishing that we install email and spam filters by default for all our customers. It’s also helpful to have the system tag emails from external senders, so staff can use caution.

A complete email protection system will also include training and a procedure for dealing with attempted and successful phishing scams. Staff should learn to detect suspicious emails. They should also know who to forward them to. It can be helpful to coordinate with other nursing homes and assisted living communities about potential threats.

2. Network Management

Your company’s network includes all the computers, equipment and devices linked to one another within your system. Network management involves setting up, administering and troubleshooting a network. An effective network management system for a small business should encompass a few best practices, including:

• Network segmentation: Dividing your company’s network into several subnetworks has many advantages. It allows the company to limit insiders’ access to various parts of the network. It also builds perimeters around sensitive data. That means unauthorized staff won’t have access to proprietary information. Also, cyberattackers won’t be able to access it by breaching the network’s outer perimeter.
• Physical security and guest access management: On-premise security is essential for preventing unauthorized network access. It also prevents equipment theft and safeguards access to Wi-Fi.
• Intrusion prevention: In cybersecurity, an intrusion prevention system scans network traffic to detect malicious intrusion attempts to the network. The software will alert a network administrator and block traffic from the source.

3. Asset Management

Your organization needs proper asset management to fight equipment theft. For some care centers, this may include Radio Frequency Identification (RFID) tracking for devices. If equipment goes missing, this data can help you pinpoint its location. It can also include scannable bar codes to log who uses equipment and when.

Your organization should maintain a complete, accurate record of all mobile devices, on-site servers, laptops and USB drives. Depending on your size and resources, you may need secure storage for inactive equipment. It’s also crucial to decommission devices before disposal for data hygiene.

4. Data Protection and Loss Prevention

Cybersecurity best practices for senior living centers must include data protection. Regularly backing up data is one step to protect against data loss. It’s also critical to encrypt data to prevent outsiders from accessing it or encrypting it themselves. Skilled nursing organizations and retirement homes should enforce communication only via secure channels and known safe devices, plus encrypt stored data and anything sent via email, text or fax. 

Here at Prelude Services, we protect your data through our private cloud computing services. If you work with us, you’ll store your healthcare data in your own secure, HIPAA-compliant cloud.

Long-Term and Post-Acute Care Cybersecurity Risks

Long-term and post-acute care centers remain one of the most vulnerable subsectors of the healthcare industry. Their level of IT sophistication usually lags behind others in the industry. They also have a massive log of high-value electronic health records, personal health records and personally-identifying information about residents and employees.

Your organization’s focus on older adult care adds to your cybersecurity risk since seniors are frequent targets for online scams and fraud. In 2023, this demographic reported the highest total of cyber crimes, with 104,068 cases. They often have excellent credit and savings and may be less tech-savvy or more trusting. Cyberattacks can harm your patients and, without the proper security, work their way into your company’s network. Among older adults, 88% of those over age 65 use the internet, and 76% own a smartphone capable of accessing it. With many of your residents using unsecured devices or receiving phishing emails, your assisted living center or nursing home is at greater risk.

Contact Prelude Services for Cybersecurity Solutions

Prelude Services is a healthcare IT and cybersecurity provider specializing in supporting assisted living and long-term care organizations. We understand the unique vulnerabilities facing your organization and are here to help with tailored HIPAA-compliant solutions. We offer network management, cloud security and friendly, dedicated 24/7 support to secure your organization’s network and data.

If you’re interested in cybersecurity that offers the level of support your industry needs, contact us today.