Spending on IT, and particularly cybersecurity, has historically been a tough sell in the long-term care industry. But the risk level has changed in recent years. A spate of highly publicized data breaches and ransomware attacks in the health care sector overall have put long term care operators – and their cybersecurity liability carriers – on high alert.
“A lot of these communities have old, outdated infrastructure. One of the things that’s been really great over the last couple of years that we’ve seen is, ownership groups and capital partners really investing in capital improvements to these communities,” reflects Gary Jones, vice president of growth – senior living, with vcpi, a DAS Health Company.
At the same time, both Pioneer Technology and DAS Health report that their clients have begun to face more stringent questioning from cybersecurity liability carriers. Joel Barnett, strategic partnerships manager with Pioneer Technology, says carriers’ risk assessment questionnaires have grown substantially in recent years.
“They’re getting more stringent and more strict on what they’re requiring. Before, they never used to ask these questions. It used to be a single page and now it’s two or three pages,” observes Barnett. Carriers are looking for very detailed answers describing multi-factor authentication, endpoint detection and response (EDR), file access management, and backup process, Barnett says.
Senior living operators that follow best practices will be better positioned to provide the answers carriers are looking for on renewal, say DAS Health and Pioneer Technology. Here are the best practices they recommend.
1. Technology Roadmap
Both DAS Health and Pioneer Technology agree that the single most important element of a cybersecurity strategy is a technology roadmap. A technology roadmap is a plan for investment in technology. It’s a strategic document that lays out a plan for achieving an organization’s business goals while balancing them with its capital priorities.
Aaron Barthle, chief information officer and senior VP with Pioneer technology, says the technology roadmap should be informed by how IT can be a catalyst for growth, and not just another expense. “Where does the business want to be and how can technology help and enable that and how can it accomplish the needs of the business? Having that strategic roadmap is key. If you don’t have a destination charted, you don’t know where to go and you don’t know where you’re going to end up,” comments Barthle.
“All too often, [the technology roadmap] gets overlooked when it comes to long term care, because it’s just an expense,” Barthle continues. “But at the same time, you are safeguarding the lives and the care and the welfare of residents and families and their personal information. It’s really not an area that you want to consider last. If we have to spread out spend for cybersecurity – or if we have to spread out spend for anything really – let’s do that, but let’s put it on a plan and let’s plan accordingly.”
2. Assessments
“One of the first things we want to do in our technology journey is assess what the current environment looks like,” says Jones, noting that assessments can look at HIPAA procedures or can be a technical audit. “Doing some kind of assessment or audit is going to give you a baseline understanding of what things look like today,” says Jones.
“It’s critical and sometimes required. So completing one is going to be important and then, whether it’s a risk assessment or technical security audit, it’s going to give you the important things that you need to focus on as an organization,” Jones says, “and help drive whatever that roadmap looks like from a security perspective.”
Some of the most common findings of these assessments include governance practice, “areas of opportunity where they’re not doing a good job of defining roles and access to systems. It’s really critical, really important,” Jones says.
Also, an assessment should look at employee access to training resources, policies and procedures, documentation and for the records necessary to attest to training.
3. Cover (All) the Bases – Especially Email
“We put in cyber security controls at every level that we can,” says Barthle. “This includes at the network level, on the e-mail system, and on devices connected to the network or email. These highly effective technologies operate seamlessly in the background, allowing workers to do their jobs.”
Email is a particular threat, Barthle says, pointing to emerging technologies like artificial intelligence (AI) and large language models. Although there are many beneficial uses of these technologies, nefarious email messages that leverage them can be very difficult for humans to spot. However, when robust spam filters also leverage these technologies, they can be a highly effective first line of defense against a range of email scams.
AI-driven cybersecurity software is faster, more consistent, and often more discerning than well-trained employees at identifying risky emails. It looks at the tone, tenor and context of messages to assess whether the communication fits the usual pattern of messages between individuals.
Thwarting email threats is important, says Barthle, because AI “learns” from consuming massive amounts of data. While some threats seek to do immediate, large-scale harm, others are more subtle. For example, a bad actor may gain access to a tranche of emails from an executive, giving the AI engine more data on the executive’s usual tone and word choices in email. This data could be used to improve an AI engine’s ability to send even more convincing phony emails in the future.
4. Segment Networks
“Senior living is a unique environment because of the operational needs, but also the hospitality needs,” observes Barnett.” Today, he says, residents bring a range of internet-connected devices when they enter senior living. These may include Roku or AppleTV streaming media players, Amazon Alexa-enabled devices, and other smart devices.
As a best practice, the Pioneer team advises its clients to segment staff and guest networks to prevent an attack on one system from causing a problem for both residents and staff.
5. Find a Trusted Partner
For operators who know cybersecurity is important but feel it’s impossible to stay ahead of emerging risks, Barnett offers some advice: “There are a lot of things that are going on out there, and it’s hard to keep up with,” he concedes. He says that’s precisely why senior living operators should find an IT consulting firm they can trust to “be that bench strength” that senior living operators need to navigate the cybersecurity landscape.
An outside IT firm has deep expertise. Their job is to stay current on emerging threats and the most successful strategies to thwart them. “Having those relationships that you trust, they’re going to keep you front of mind. It just adds to your knowledge base for your team,” he says.
Follow the Leaders
Owner-operators with a do-it-yourself mindset could also engage with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, advises Jones, vice president of growth – senior living, with vcpi, a DAS Health Company.
The framework is a suite of resources designed to help organizations achieve their cybersecurity goals. Jones says this framework is ubiquitous. His firm uses it, as do many others, he says.
It is organized by six functions that, together, represent a comprehensive system for managing cybersecurity risk:
• Govern
• Identify
• Protect
• Detect
• Respond
• Recover
For more information on the NIST framework, visit https://www.nist.gov/cyberframework.
