Enhancing Cybersecurity at Senior Living Organizations
Senior living organizations now offer a wider array of services enhanced by technological advances. Western Pennsylvania-based Concordia Lutheran Ministries, for example, offers services that include personal care, skilled nursing, short-term and outpatient rehabilitation, visiting nurses, hospice and more — with technology emerging as the common thread between these services.
But organizations should be cautious; anytime technology is involved, an organization must be aware of its risks as well as its rewards.
Staying Vigilant With Healthcare Cyberthreats
For senior living providers, safeguarding those under an organization’s care is not limited to physical well-being. It includes protecting patient private health and financial information — an overwhelming task if the facility isn’t prepared.
So, where should an organization start?
It’s important to remember that Rome wasn’t built in a day and a security program won’t be either. New threats arise daily; expect to stay vigilant on identifying and implementing new safeguards.
Security programs involve assets. Typical assets include hardware and software, but staff can also pose an issue. Implementing hard controls and stops for security can be rendered useless if one person doesn’t follow policies or clicks on a spam email, compromising the entire network.
How to Build a More Secure Health System
Resources that will assist in building a great security program include the following: National Institute of Standards and Technology, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Critical Security Controls. There is some overlap in these programs, but combined, they offer best practices for keeping your residents’ and patients’ personal health information secure.
First, start with knowing what you have:
- Hardware — computers, firewalls, switches, servers and wireless
- Software — hosted, purchased and created
- Network — setup and layout
Second, understand how your staff uses the hardware and software:
- Does the computer contain financial information to submit claims for reimbursement?
- What personal health information (PHI) is stored on the computer?
- Who uses the computer and where is it located?
Next, perform a risk assessment, determining risks by category — high, medium or low. It can be overwhelming, but simplify it as time goes on. Remember that a security program has no end, so focus on maturing it from year to year.
After you identify the risks, you need to implement controls to reduce or eliminate the threats. Always document risks and controls. Use hard-stop controls where possible. Examples include encrypting all computers and firewalls, as well as instituting automatic email encryption for key words associated with healthcare. Spam filters and anti-virus software are a must, and an organization can implement Absolute Device and Data Security products to secure laptops and tablets, safeguarding data.
Last, a healthcare organization’s IT department should be sure to create strategic policies and procedures. Never forget to test controls and train staff on security. Security is not a one-person program, it is a culture.
In my experience, it is best to help staff understand personal security risk and how to think before they click. By educating staff members on the personal risks of a cyberattack, the team will naturally be more aware at work. It is also helpful to use posters and newsletters from the SANS Institute’s Securing the Human website.
Last, educate your seniors on cybersecurity. As a security program matures, it is important to conduct phishing tests within a business or facility.