By Joanne Kaldy
We are more connected than ever before; and while this has made real-time communication and lightning-fast access to information a new norm, it also substantially increases the risk of falling victim to phishing attacks and other cybercrimes. With the growing dependence on technology comes greater responsibility to protect data and the people who use it.
“Hackers are getting more and more sophisticated and using more technology and phishing capabilities than we have ever seen before,” said Louis Hyman, chief technology officer at Patient Pattern. Most organizations have some policies and procedures related to cybersecurity, but it isn’t enough to implement these and put them on the shelf. Cybersecurity needs to be a top priority for everyone.
“While there is no foolproof solution for cybersecurity, assessing your current technology infrastructure is crucial,” said Nick Patel, president of ThriveWell Tech. He added that this assessment helps identify any vulnerabilities, weaknesses, or areas that need improvement in terms of security measures and helps you roadmap and prioritize strategies for the future.
New Generation of Tech Trends
Just as organizations have learned to plan for, prevent, and manage cybercrimes such as malware, ransomware, and phishing attacks, new threats are demanding attention.
According to a Deloitte survey, the average household has 25 connected devices. With a growing gig economy and more people pursuing remote or hybrid work, it is important to realize that people are using more of their devices for both work and personal use. This blurred line between work and home has made cybersecurity a 24/7 pursuit.
With more devices comes more ways to get in and out of data. In recent years, the proliferation of connected devices and technologies is referred to as the Internet of Things (IoT). This not only includes things like computers, tablets, phones, and fitness devices but also smart toasters, building alarm systems, and fitness collars for dogs. Currently, there are about 43 billion IoT devices in the world. While many of these things don’t store data, cybercriminals may use them as gateways to access information.
As building and community infrastructures, including electrical and HVAC systems are part of the IoT, they become a potential line of attack. At the same time, said Alex Louderback, CEO of Bee Central, some senior living communities serve as the internet service provider for their residents. “If you take this on, you also take on the risks,” he said.
Artificial Intelligence (AI) can give cybercriminals a more effective weapon. They can create deepfake videos, messages that can fool people into thinking messages or information is coming from a reliable source. This can make for new types of phishing attacks. AI also can be used to build more sophisticated malware. On the plus side, it is possible to create algorithms to train AL systems to detect malware and ransomware before they infiltrate a system.
In recent years, mobile devices and apps have put more people at risk of cyberattacks. At the same time, with more organizations using the cloud to store data, they need new security measures to prevent breaches and protect information on these platforms.
Senior Living as Target
According to Patel, the cybersecurity landscape for senior living communities has experienced significant changes in terms of threats and protective measures. He observed, “They have become attractive targets for cybercriminals due to the valuable personal health and financial information they possess.”
Ransomware attacks, where hackers hijack data and demand a ransom for it, have become more common. At the same time, phishing attacks and social engineering techniques, where cybercriminals trick people into revealing sensitive information, are additional concerns; and cybercriminals aren’t just using emails for their phishing expeditions. Text messages and even phone calls are sometimes involved.
“One of the biggest threats currently is bad operators,” said Louderback. They are coming from all directions and even alert, trained people can be tricked into giving access to them. Hyman said, “We are seeing sophisticated attacks using social engineering where someone will text or call with so much information that the victim feels confident that the caller or texter is verified.” These ‘bad actors’ will get information from LinkedIn and other online sources to seem knowledgeable and connected to their intended victims.
Building a Security-Savvy Organization
This all may seem overwhelming, but a strategic, proactive approach can help protect organizations and their customers. Patel said, “It may sound basic, but this all begins with the technology assessment.” This involves, he suggested, evaluating various aspects of the facility’s IT systems, including hardware, software, network architecture, data storage, and access controls. “The results of this assessment will provide valuable insights into the facility’s existing cybersecurity practices and highlight areas that need attention, along with suggested steps to mitigate them,” he said.
Based on the assessment’s findings, it will be possible to take steps needed to boost security measures. Patel said that these include implementing stronger access controls, updating outdated software, improving network security, or providing staff training on cybersecurity best practices.
Patel said, “By taking this proactive step, facilities can address potential vulnerabilities and reduce the risk of cyberattacks.” He added that having a documented assessment also can help when it is time to negotiate cybersecurity insurance rates by demonstrating the organization’s commitment to cybersecurity and risk reduction.
Hyman further suggested making sure that every piece of software the organization uses has either the appropriate security certification or the manufacturer or vendor has completed an approved assessment. It’s also vital, he said, to have detailed agreements with covered entities, contractors, business associates, and others that address cybersecurity and outline specific rules and requirements. It also may be useful to mandate that there be special anti-malware software on any device used in the facility or for facility business.
Locking Up Data
Because the range of potential attacks is so broad, said Louderback, it is important to ensure that any device your employees use – at work or at home – is updated to the latest version of security updates. At the same time, implement two-step authentication for any device that touches the network. “If you don’t have these things enabled, you are putting yourself at risk,” said Louderback.
According to Patel, cybersecurity insurance has also become increasingly important for senior living organizations to protect themselves from the financial and reputational risks associated with cyberattacks. However, there has been a noticeable trend of insurance rates increasing in recent years.
“The constantly evolving nature of cyber risks makes it challenging for insurers to accurately assess and price the risk, leading to adjustments in insurance rates. Additionally, senior living communities have become specific targets for cybercriminals, increasing the likelihood of cyber incidents occurring and impacting insurance rates,” he said.
To address this, senior living operators should prioritize robust cybersecurity measures, such as regular security assessments, employee training, incident response planning, and thorough vendor evaluations. “Demonstrating a commitment to cybersecurity and risk reduction may help negotiate more favorable insurance rates. Seeking guidance from cybersecurity experts and insurance brokers who specialize in the senior living industry can assist in finding appropriate coverage at competitive rates,” Patel said.
The Long, Long Train
In the past, staff training mostly involved phishing tests, where the company sent out an email with a suspicious link to see if employees recognized and reported this attempted cyberattack. Today’s training should be interactive and hands-on and address the range of cybersecurity risks employees face.
“Make testing and training a regular part of work. Have people pose as bad actors trying to get into your system. For instance, have a caller see how much information they can get out of the front desk,” said Louderback. “Have a plan for what steps you will take for any type of cybersecurity attack – what you will do if and when something happens such as health records or personal information is leaked,” he added.
Key elements of this plan and staff training are the definition of a security breach, a description of what data is stored where, and how and how quickly you will notify stakeholders about the breach. It also is important, said Louderback, to classify data as low, moderate, or high alert. Low alert is that data that is already public information, while high alert is that information that is extremely private and sensitive.
“It is critical to have formal processes in place as the cybersecurity world gets more developed,” stressed Louderback. Currently, he noted, cybersecurity is sort of a “wild west.” However, legislation is in the works that will hold developers and sellers of technology liable for security issues.
While staff and others must be trained on processes to prevent cybercrime, Hyman said, “We all are only human, and people make mistakes.” Instead of penalizing someone for making a mistake that leads to a breach or other cybersecurity issue, they should be encouraged to report issues promptly. “The sooner they report it, the quicker it can be fixed,” Hyman said, adding, “If you are discouraging people from ‘see or do something, say something,’ you are creating a security situation.”
Training may not eliminate all errors, said Hyman, but people can be alerted to red flags to watch for, such as emails with poor spelling or grammar, suspicious URLs in email addresses, or texts or e-mails from someone you know that have a different tone or communication style than normal. “If I don’t recognize an email address or phone number, I will google it, and usually it’s a fake,” he said. It also may be possible to call a reliable source to validate a message. For instance, if you get an email from Best Buy claiming to be an invoice for a $500 Geek Squad service, you can call Best Buy directly to find out if this is a genuine e-mail or a scam. “Train your staff to step back and think before they react to a message,” Hyman said. If they do this, there is a good chance they will be able to identify scams.
Protecting Residents
More than ever, your residents are using devices, often as many as your employees are. Some of these individuals are more tech savvy than others, so it will be useful to offer training sessions for people of various levels of knowledge and expertise. Invite family members to these programs too, as they will use their own devices to communicate with residents.
“Promote technology good habits,” said Louderback, whether this is through monthly newsletters or training sessions, posters, or other platforms. “A lot of communities employee a resident tech helper or have IT ambassadors who are residents or volunteers<’ he noted. Some have TV channels that they can use to broadcast educational or instructive programs about cybersecurity.
Hyman noted that there are fewer requirements for technology and devices that aren’t regulated and don’t fall under HIPAA. “We need to make sure everyone – residents, families, and staff alike – is very careful when they do things like download apps and enter personal health information. There is nothing to prevent people from hacking into this unregulated technology,” he said. He suggested cautioning residents about using apps, software, or other programs that come from any sources besides a provider, payor, or FDA-approved entity.
Cybersecurity Starts Before You Take on Tech
Ask all vendors of devices or technology how their products are secure and protected against cyberattacks. Talk about any and all risks with them and what they do to address them. Louderback said, “If cybersecurity isn’t on the forefront for them, it won’t be on the forefront for you. They should be able to describe their cybersecurity efforts in detail.”
Cybersecurity needs to be on your radar every day. “Every time a new device is introduced to the network, it needs to be audited immediately,” said Louderback.
Find the biggest expert in the room, either internally or outside the organization, to get data audit done on a regular basis. Look at every point of attack or vulnerability for every bit of software and hardware your community uses and have a comprehensive map for every bit of internal and external connection.
