Now more than ever, security must permeate healthcare and senior care organizations. At the latter, in particular, it’s especially important for all staff — whether it’s those focused primarily on IT, frontline caregivers or executive leadership — to not only buy in, but also understand how their actions impact an organization and its residents, said Jennifer Griveas, chief human resources officer and general counsel for The Eliza Jennings Senior Care Network in Olmsted Township, Ohio.
“That’s something that has to be integrated into what you do,” Griveas told HealthTech Tuesday at the LeadingAge 2018 conference in Philadelphia. “If you don’t have your frontline staff knowledgeable about what threats are, there’s your biggest threat right there. While there’s a lot of great technology out there that can be implemented and can help you from a security perspective, if you’re not paying attention to that low-hanging fruit of training staff, you’re really harming yourself.”
Michael Gray, director of IT at Eliza Jennings, agreed, but said security can’t be approached as a one-size-fits-all effort. While some organizations are large, multisite entities that can afford to hire dedicated security professionals, there are also many single-site organizations in rural areas that don’t have the same resources, be it staff or financial or otherwise, to invest in a state-of-the-art, next-generation solution.
“And even if you have that system in place, if someone leaves the door open, someone else could walk right in,” he said. “The staff has to know what to look out for.”
Common Hurdles Include Regulatory Compliance and Increased Access
When determining which strategy is right, one common hurdle senior care organizations must take into consideration is regulatory compliance. Entities must worry about both HIPAA and the Centers for Medicare & Medicaid Services’ Conditions of Participation, the latter of which, Griveas said, were recently revised and could impact CMS star ratings.
Another common theme across the industry is the rapid move to use mobile technologies. Organizations both large and small are adopting mobile solutions, making a quick focus on mobile security that much more critical, Griveas said.
“Everyone now has a computer on them at all times,” she said. “It’s a continuous struggle on the care floor with people and their personal devices. All organizations need to know what they have, what they deploy and how they control it.”
Griveas added that a lot of these concerns can be controlled with a policy on paper. “You need rules in place and to enforce those rules,” she said. “It’s that simple.”
Don’t Overlook the Impact of Residents
The residents themselves are another factor in security that senior care organizations cannot afford to overlook. To that end, organizations would be wise to conduct access audits, Gray said.
“Take a look at how things are set up,” he said. “If you don’t have an internal IT department or a resource that you work with who has knowledge of that base, really look at your infrastructure and your network. Take inventory of everything you have, what people are doing, what they have access to, and adjust it to best practice.”
From a technical standpoint, Gray said, segmentation is a good strategy.
“I think the notion that residents who are using the network at a facility would be on the same network as the business is horrifying to an organization, but it happens all the time,” he said. “There are definitely organizations where the residents are traversing the same network as staff. And while residents might not have access to a certain file or folder, there’s potential that they could unintentionally do damage to the business side.”
From a knowledge standpoint, training residents early and often about looming dangers and how to spot potential traps is key, Griveas said. It’s naive, she said, to think that residents don’t touch computers.
“Our residents come in all phases of care, and they want Wi-Fi, and they have tablets and phones, and they expect to be texting and to have this capability,” Griveas said. “Organization need to be prepared to provide them with the services they’re asking for but do it in a way that’s secure and that they understand.”
To the latter point, Gray said that when he trains residents, he asks them about emails or phone calls they might receive and how to spot potential scams. For instance, phone calls from Microsoft that purport to be legitimate are not.
“It’s a lot of information to cram in, but I would say that we get a really substantial turnout,” he said. “I think they really appreciate the training.”
Likewise, Griveas said residents have been very engaged at their sessions.
“They really have been very interested,” she said. “They come with great questions, sometimes more sophisticated than a lot of people expect of older adults. That’s something that people are a little slow to understand, that older adults are very tech savvy now.”
Keep this page bookmarked for articles from the event. Follow us on Twitter @CDW_Healthcare, or the official LeadingAge Twitter account, @LeadingAge, and join the conversation using the hashtag #LeadingAge18.