Security

Pillars of Successful Cybersecurity for Senior Care Organizations

Education and communication form the core of any organization’s security strategy.

Twitter

Mitze Amoroso is the senior vice president and CIO for ArchCare, a continuing care community based in New York.

The senior care industry’s unique qualities add challenges to cybersecurity. Care facilities are generally small operations, with modest budgets and staff sizes. This can make it difficult to devote resources to fighting cyberthreats. Further, government regulations such as HIPAA and the HITECH Act, while providing security guidelines, can put a strain on resources.

With these challenges in mind, senior care organizations must create and implement an effective IT security strategy to ensure their compliance with regulations as well as the safety of patients and staff. Education and communication must be at the core of any organization’s cybersecurity strategy.

Implementing an effective strategy is difficult — and especially challenging on a shoestring budget. Even at organizations that deploy a robust security system, users sometimes complain that they can’t do their jobs effectively and try to find ways to get around security policies.

Another common complaint is that strong security stifles innovation. Organizations want to be innovative, and they want to use the latest technology. But new technology can introduce new risks to the environment, especially with the implementation of IoT devices. Organizations that experience rapid progress and expansion often face serious challenges as they strive to mitigate risk through security measures.

Security Is a Universal Responsibility

Many security experts agree that users typically are the weakest link in this chain. Unfortunately, no software or hardware will prevent a user from inadvertently falling victim to a phishing attack and releasing sensitive information. Each user must understand the importance of security and the significance of his or her role in an organization’s security program.

It’s a common misconception that cybersecurity is solely an IT responsibility. In fact, security is everyone’s responsibility, so establishing an accountability framework for everyone is essential. A good first step is to include cybersecurity as a core competency on every job description. Organizations can build on this by including cybersecurity and compliance as part of employees’ annual reviews.

Follow the Steps to Effective Communication

What’s the best way to establish a culture of education and communication? IT leaders should start by taking every opportunity to discuss IT security in department meetings, system meetings and newsletters. They should set a foundation for accountability and educate users on expectations during initial employee orientation. Organizations should use compliance reports to support these expectations.

For example, if every user is required to watch a security video once a month, the organization should run compliance reports to make sure that this occurs. Technology tips sent via email provide a quick, inexpensive, consistent way to get the message out. If users feel that the message could help them in their personal life, they tend to listen.

It’s a common misconception that cybersecurity is solely an IT responsibility. In fact, security is everyone’s responsibility.”

Mitze Amoroso Senior Vice President and CIO, ArchCare

The next step is to test users by sending out simulated phishing attempts so that they recognize the warning signs of malicious email messages. Publishing the results of these simulations can further users’ understanding and awareness.

Get Help from Security Experts

Given the size of the cybersecurity obstacles they face and the comprehensive approach required to meet the challenge, it’s no wonder that many small organizations turn to outside assistance and resources to support their security strategy. In fact, some organizations rely on a partner to create the strategy for them. To make the best use of third-party vendors, IT leaders should consider several key factors of their security posture (each should have a corresponding policy or procedure that is reviewed at least once a year):

Are the operating systems for core devices — firewalls, routers, switches, spam filters, web filters, computers and printers — still supported? If not, IT staff should create a plan to replace these devices.
Does the organization have a patching plan? Many cybercriminals take advantage of unpatched and unsupported devices.
What is the backup plan? There’s nothing worse than receiving a ransomware threat and then finding that offsite backup has failed. Backups should be tested regularly.
Is the anti-virus solution updated with the latest virus definitions? Hardware should be checked monthly to ensure that anti-virus tools are updated regularly. Users should be unable to disable anti-virus on their machines.
What is the password policy? Does it include a minimum of eight complex characters? Are users required to change their passwords regularly? Are administrator credentials limited and separate from common user credentials? Are printers protected by complex passwords?
Does the organization deploy role-based security? Users should have access to only the tools and data they need to do their jobs. Supervisors should be aware of what users have access to, and the access should be reviewed annually or when a change of title or position occurs.
Do third-party vendors have access to systems? If so, what is known about these partners? What are their security practices? Have they experienced a data breach? Smart IT leaders will develop a third-party questionnaire that partners must fill out annually.
Has a risk assessment been conducted by an outside partner? Has the organization acted on the findings? Does it conduct vulnerability assessments or penetration tests to find security weaknesses?
What is the organization’s mobile strategy? Are devices encrypted? Is BYOD allowed?
Does the organization have an incident response plan? Does it involve all departments, escalations and how to reach outside assistance? Has it been tested? In the middle of an incident, this information is difficult to obtain.
Does the organization have adequate cyber insurance? Do its business partners? Savvy IT leaders review their contracts routinely and include language that requires cyber insurance in all new deals.
Does the organization regularly review its logs for anomalies?

Cybersecurity is an enormous uphill climb that never ends. While the IT department is an instrumental asset in making this ascent, the entire organization must be proactive to protect healthcare data. By embedding education, communication and adoption into the daily routine, senior care organizations will establish the foundation upon which a robust security system can be built.

Liana Monica Bordei/Getty Images