Cybersecurity Best Practices for Senior Living Communities

In November 2019, a cyberattack against 110 nursing homes highlighted the industry’s cybersecurity vulnerabilities. Hackers encrypted all data, including patient records, and demanded $14 million in bitcoin to decrypt the data. These nursing homes were cut off from all patient data and forced to handle patient care by pen and paper.

Assisted living centers and nursing homes often have lots of data in their system. Both patient medical records and client payment information are incredibly tempting for hackers and data thieves. Whether the data is encrypted or stolen, it presents a major danger to your facility. Knowing how to ensure cybersecurity is a must for any assisted living center or rest home.

Cybersecurity Threats for Senior Living and Nursing Homes

Approximately 75.7% of healthcare organizations have recently experienced a significant cybersecurity incident. While this estimate includes many types of healthcare environments, adult care facilities may be even more vulnerable. These small organizations don’t have the same resources and cybersecurity infrastructure as large medical centers. For this reason, 58% of all cyberattack targets are small businesses.

Cyberthreats abound for nursing homes and older adult living centers. Your organization could be vulnerable to these types of cybersecurity breaches:

1. EMAIL PHISHING ATTACKS

Attacks involving email are responsible for 61.9% of cybersecurity compromises in the healthcare industry. They can easily be the source of a long-term care facility’s data breach. 

An email phishing scam attempts to trick an email recipient into giving out information. In your workplace, the victim could be you, a colleague or even a long-term care patient. The email will contain a link or file and appear to come from a legitimate source. It may appear to come from a co-worker, manager, the company itself or a vendor. Clicking on the link will take the user to a website soliciting sensitive data. It could also immediately infect the computer with malware.

An example of this could be a fake email appearing to come from the facility’s software provider, asking the user to change their password. Complying with the request may result in compromised patient data.

2. RANSOMWARE ATTACKS

A special type of malware called ransomware blocks users’ access to data through encryption. Criminals try to extort a ransom, often in cryptocurrency, to unlock the data. Ransomware attacks are often initiated through phishing.

While some may think paying the ransom is the easiest solution, this is not the case. Some ransomware destroys or exfiltrates data, meaning it is already gone or in the wrong hands. Paying the ransom doesn’t guarantee the hacker will return your lost data. It often takes as long to decrypt data as it does to restore it from a backup. If a breach occurs, it could take weeks to restore the lost data.

Nursing home facilities faced with such an incident could face many fallouts. Practitioners won’t be able to read medical charts. Without crucial healthcare data, patients could receive improper care. The facility could also face lawsuits. If patient data is compromised, your organization may need to report the breach to the authorities. In the scramble to document care by paper, crucial information gets forgotten. If certain activities aren’t properly documented, they can’t be reimbursed. A two-week system outage could cost your facility anywhere from 6% to 10% of the proper payments owed to you.

3. LOSS OR THEFT OF EQUIPMENT

People have their phones or laptops stolen often. Whether these devices are left in a ride-share vehicle or swiped from a coffee shop, the sensitive data they contain can be compromised. Any medical charts or patient billing information accessed from a personal device can end up in the wrong hands after a theft. 

Another way theft can compromise your data is when it occurs from the inside. An employee with malicious intent may steal company computers or even connected medical devices. Whether they attempt to sell the equipment or the data within, sensitive medical information is jeopardized. Lost company equipment can also slow down productivity.

4. DATA LOSS

Negligent insiders cause 20.8% of cybersecurity incidents in the healthcare industry. Employees can cause data loss due to honest mistakes and intentional theft. A procedural error, such as forgetting to hit save, is a common cause of data loss. Falling for a phishing scam can also result in accidental data loss.

An employee, contractor or another individual with access to the company network can also cause a malicious data loss. They may steal data for personal gain or to harm the organization or an individual, such as a patient or co-worker. An employee may inappropriately view patient information without even physically stealing it.

Data loss can cause patient identity theft. Lost patient data is also considered a reportable data breach. Incorrect data may cause nurses to give residents the wrong medications, and it can also result in financial loss if banking information is compromised. 

Cybersecurity Practices to Protect Your Data

Implementing a few cybersecurity tips throughout your company network can protect your business, employees and residents. Here’s how to protect yourself and your adult care facility through cybersecurity:

1. EMAIL PROTECTION SYSTEMS

Email phishing is threatening because it’s surprisingly easy to fall for. An email from a carefully chosen address and a link to a smartly designed website has a high chance of fooling someone. Also, phishing emails often go out to a large batch of people, and only one needs to click on it to cause a breach. Some are even disguised to look like they come from the CEO. Ignoring a request from such a high authority goes against many people’s best instincts.

Some basic email filtering can prevent phishing scams from reaching your inboxes. These systems test out links and messages to block malicious communications from ever reaching your inbox. Protection systems are so effective at mitigating phishing that we install email and spam filters by default for all our customers. It’s also helpful to have the system tag emails from external senders, so staff can use caution.

A complete email protection system will also include training and a procedure for dealing with attempted and successful phishing scams. Staff should learn to detect suspicious emails. They should also know who to forward them to. It can be helpful to coordinate with other nursing homes and assisted living facilities about potential threats.

2. NETWORK MANAGEMENT

Your company’s network includes all the computers, equipment and devices linked to one another within your system. Network management involves setting up, administering and troubleshooting a network. An effective network management system for a small business should encompass a few best practices, including:

• Network segmentation: Dividing your company’s network into several subnetworks has many advantages. It allows the company to limit insiders’ access to various parts of the network. It also builds perimeters around sensitive data. That means unauthorized staff won’t have access to proprietary information. Also, cyberattackers won’t be able to access it by breaching the network’s outer perimeter.
• Physical security and guest access management: On-premise security is essential for preventing unauthorized network access. It prevents equipment theft as well as network access through Wi-Fi.
• Intrusion prevention: In cybersecurity, an intrusion prevention system scans network traffic to detect malicious intrusion attempts to the network. The software will alert a network administrator and block traffic from the source.

3. ASSET MANAGEMENT

To fight back against equipment theft, your organization needs proper asset management. For some organizations, this may include Radio Frequency Identification (RFID) tracking for devices. If a piece of equipment goes missing, this data can help you pinpoint its location. It can also include scannable bar codes to log who uses equipment and when.

Your organization should maintain a complete, accurate record of all mobile devices, on-site servers, laptops and USB drives. Depending on your size and resources, you may need secure storage for inactive equipment. It’s also crucial to decommission devices before disposal for data hygiene.

4. DATA PROTECTION AND LOSS PREVENTION

Cybersecurity best practices for senior living centers must include data protection. Regularly backing up data is one step to avoid losing proprietary data. It’s also critical to encrypt data to prevent outsiders from accessing it or encrypting it themselves. Skilled nursing facilities and retirement homes should encrypt stored data and anything sent via email, text or fax. 

Here at Prelude Services, we protect your data through our private cloud services. If you work with us, you’ll store your healthcare data in your own secure, HIPAA-compliant cloud.

Long-Term and Post-Acute Care Cybersecurity Risks

Long-term and post-acute care centers remain one of the most vulnerable subsectors of the healthcare industry. Their level of IT sophistication usually lags behind others in the industry. They also have a massive log of high-value electronic health records, personal health records and personally-identifying information about residents and employees.

Your organization’s focus on older adult care adds to your cybersecurity risk. People born between the 1930s and 1950s are frequent targets for online scams and frauds. They often have excellent credit and savings and may be less tech-savvy or more trusting. Cyberattacks can harm your patients and, without the proper security, work their way into your company’s network. Among adults aged 65 to 74, 86.9% own computers, and 83.2% use the internet. Even 55.1% of those over 85 are using the internet.

With many of your residents using unsecured devices or receiving phishing emails, your assisted living center or nursing home is at greater risk.

Contact Prelude Services for Cybersecurity Solutions

Prelude Services is a healthcare IT and cybersecurity provider geared toward assisted living and long-term care organizations. We understand the unique vulnerabilities facing your organization and are here to help with tailored, HIPAA-compliant solutions. We offer network management, cloud security and friendly, dedicated 24/7 support to secure your organization’s network and data.

If you’re interested in cybersecurity that offers the level of support your industry needs, contact us today.