Cyberattacks are a nightmare scenario for businesses of all types. For senior living providers with protected health data, cyber-breaches create heightened risk.
And although corporate boards and leadership teams are paying more attention to cybersecurity, they still may not understand just how at risk they are. Start with these questions:
- What would it cost your company to lose access to data or key business operations, such as electronic medical records and billing systems, for even one day?
- Do you know the top cybersecurity risks at your organization and have a plan in place to address them?
- Do you have data security policies and processes that are clearly communicated to staff — and if not, do you know the associated liability?
- Do you have a disaster recovery data center to keep critical operations running?
Today, the cost of cybercrime is in the billions of dollars, and healthcare data breaches jumped more than 50% in 2020, according to CPO Magazine. Hacking and IT security issues accounted for 70% of those breaches — and it took the average business 236 days to recover from one, according to a Bitglass report.
Addressing cybersecurity risks
So what can your company do to protect itself from cyberattacks?
If you don’t have in-house cybersecurity expertise — which is not feasible for many organizations — then seek a managed services provider, MSP, that does. Cybersecurity experts are highly skilled individuals who monitor, detect, investigate, analyze and respond to security events. They should work in concert with the MSP’s chief security officer who has helped determine your risk profile, the cost to improve it and make intelligent financial decisions about how to address your risk profile, and build a more robust and safer IT infrastructure.
The five areas important to senior living providers:
- Protected health information and identity management
- Legacy systems
- Policies for data security
- Disaster planning for business continuity
- Network security
1. Protected health information
The top causes of data breaches, according to the Healthcare Information and Management Systems Society:
- Phishing attacks (57%)
- Credential harvesting (21%)
- Malware/ransomware (20%)
- Social engineering attacks (20%)
In a phishing attack, an employee receives an email appearing to come from a vendor or high-level executive within the organization. They ask you to click on a link or transfer key account or employee information. Unwittingly, the employee has provided access for a ransomware attack on your network or abetted identity theft. Sharing this news with affected employees and the cost to address the identity theft create long-lasting financial and organizational trust issues.
Those scenarios are all too common. Despite ongoing education, protected health information breaches continue to occur through phishing in the form of malicious and increasingly sophisticated email scams.
In a typical ransomware attack, malicious software penetrates the organization’s systems and encrypts accessible data. Hackers then demand a costly ransom to decrypt it — and also may threaten to sell or release your data on the internet. The news is rife with examples, such as the July breach of IT firm Kaseya, where hackers demanded a $70 million ransom.
So how do you protect yourself against data breach and loss? When it comes to protecting your organization from cyber-probes, employees are your first line of defense. Identity management is a critical back-up.
Here are high-level cybersecurity measures that the Thrive Well team addresses after performing a comprehensive organizational security audit:
- Comprehensive and frequent cybersecurity education for staff
- Automated back-ups of critical systems
- Encryption systems for emails and data in case of device loss or theft
- Implementation of alerts for large or suspicious file or monetary transfers
- Identity management processes for systems access
2. Legacy systems
Here’s an example involving a legacy system.
Your organization’s billing department uses a computer with an operating system that no longer is supported by the developer. The data it holds and sends is not encrypted — and the system cannot be updated to add this critical security layer. If this system is breached, either through phishing or a network hack, then your organization faces fines through the Health Insurance Portability and Accountability Act that increase exponentially with each resident/patient record breached — tens or hundreds of thousands of dollars. Communicating this breach to affected clients, and dealing with the aftermath, is a CEO’s nightmare — even more so if the breach is made public.
Legacy operating systems and hardware that carry security risks are an unfortunate fact of life for most organizations. It’s extremely costly to keep every piece of hardware and software up to date — especially when balanced against day-to-day operating needs.
Common cyber-risks include operating systems where updates no longer are being provided by the vendor or the hardware can’t handle an updated operating system. Additionally, some pieces of technology— kiosks for example — simply may not be able to be updated, meaning you will need to bring in an entirely new system. That’s a costly, complicated and long-term process.
So, how do you address legacy systems risk?
- Identify all legacy systems.
- Conduct a vulnerability scan that identifies the risks — and put a process in place to repeat and follow up on findings.
- Clearly convey the risk and cost of not investing in fixes to leadership and board.
- Establish a POAM (plan of action and milestones) to address vulnerabilities in accordance to risk. In some cases, an organization simply may need to assign acceptable risk to a piece of technology for a certain amount of time.
Addressing cyber-risk is not a once-a-year or one-and-done discussion. Leadership, department leaders and IT routinely should discuss the security risks inherent in the systems they use and have a defined process for addressing them.
3. Policies and procedures for data security
Compliance os key. In the earlier phishing scenario, I outlined an unintentional action by a well-intentioned employee that led to dire consequences. What could make this even more dire? Leaving yourself open to greater liability — and a liability insurance claim denial — if your organization cannot demonstrate processes and policies around such areas as staff cyber training and online behavior.
Creating policies addressing data security and online behavior is not an IT safeguard in the same way as blocking someone’s ability to download software on their laptop or applying content filtering software. But such policies can help drive employee behavior in areas of risk — and mitigate organizational liability.
Key policies include requiring cybersecurity and HIPAA…