Security

Boost Cybersecurity Measures to Protect Senior Care Residents and Staff

Robust defenses and education for everyone can foster a culture of shared vigilance.

Kevin Joy is the managing editor of HealthTech. He previously worked in content marketing for a major university health system and as a features reporter for the Columbus Dispatch.

As the senior care industry adapts to COVID-19, new tools and technologies are engaging older adults and putting them in touch with the outside world. The devices and connectivity can also protect caregivers and address staffing shortages.

Momentum was building before the pandemic: Recent survey data from AARP finds consumers over 50 are helping fuel the demand for smart home technology. Fifty-three percent of respondents say they would prefer to have their healthcare needs managed by a mix of medical staff and healthcare technology.

That’s the good news.

The ongoing shift also heightens the risk for cyberthreats that can disrupt critical operations and expose personal information.

In addition to managing residents’ physical safety, care providers “are responsible for handling and protecting a lot of personal data,” Katie Smith Sloan, president of LeadingAge, an association of nonprofit providers of aging services, tells HealthTech. “You want to make sure you’re not in a situation where you can be easily hacked or easily spammed.”

The financial toll can be devastating. Cybercriminals steal nearly $40 billion each year from seniors, according to Bloomberg, and healthcare organizations continue to have the highest costs associated with data breaches.

Cybersecurity Risks Are Common in Senior Living Communities

Most senior care residences understand the need for protection. After all, they’re required to follow HIPAA protocols to protect sensitive health information — a duty that can incur costly fines if that data is exposed or poached.

Sill, “providers in the aging services sector are, by some assessments, less prepared in this area than their acute-care counterparts,” Majd Alwan, director of the LeadingAge Center for Aging Services Technology (CAST), told McKnight’s Long-Term Care News. “So, understanding the issues, identifying vulnerabilities and taking actions as necessary to mitigate risk and avoid being a victim is crucial.”

Moreover, senior care communities are increasingly among the healthcare providers favored by hackers in search of vulnerable targets during the pandemic, panelists at a HIMSS webinar noted this summer.

These risks come in many forms. It could be a spam link in an innocent sounding email, an entry point via outdated software, a lost or stolen device, or a scammer posing as a friendly face on social media. The growing use of smart speakers in senior living introduces new risks, including issues of HIPAA compliance.

Staffwide cybersecurity training is important for all healthcare workers. In the case of senior care, however, it’s essential to educate the older adults accessing a building’s network and using devices that may be less familiar to them.

That audience is growing: Nearly 3 in 4 adults age 65 or older now use the internet, and their screen time has risen in the past decade, the Pew Research Center finds.

The FBI offers tips for older adults to stay safe while online. Among them:

Do not communicate with or open email attachments from an unfamiliar source
Never giver personally identifiable information or money to unverified parties
Disconnect from the internet and shut down the device if you see a pop-up message or locked screen (a pop-up blocker can be enabled)
Avoid the pressure to respond to offers that seem urgent or fear-based
Keep anti-virus and security software and malware protections up to date

“Security is not a one-person program, it is a culture,” Meridith McGinnis, the IT director and security officer at Concordia Lutheran Ministries, told HealthTech.

Cybersecurity Best Practices in Senior Living

Beyond educating residents and staff, senior care communities must also take steps to protect their infrastructures and devices.

A LeadingAge CAST white paper offers advice for providers on understanding and mitigating cyberattacks, including these key recommendations:

Develop a security strategy. Regularly review and refine your risk management program. The approach must balance people and technology and should involve proven network and physical security standards, a range of network monitoring and mobility management tools, and a thorough vetting process for third-party vendors.
Identify your weaknesses. Government regulations often require system audits, vulnerability scans and application penetration testing (which involves hiring an “ethical hacker” to attempt a breach). Uncovering potential problems isn’t a bad thing; organizations can then seek out mitigating controls to remove or reduce that vulnerability.
Strengthen your infrastructure. Understand how tools such as next-generation firewalls, network access control, email filtering, cloud anti-virus software, updated endpoint management systems and a disaster recovery solution can help. Consider hiring a CISO, or partner with a managed services provider.
Put details in writing. Publish and communicate security procedures, including password best practices and a clear BYOD policy. Be sure the HIPAA-compliant protocol includes staff training and documentation of implementation. When adding new tools (such as smart speakers), map out in detail how and where they’ll be used.
Monitor device activity. Internet of Things tools offer potential — and challenges. A log and event monitoring system or a security information and event management system can detect network events early and identify abnormal behavior. Network segmentation and limiting a device’s functions can stop high-risk activity.
Prepare your response plan. In the event of a breach, what will your teams do? Are residents trained to tell staff about a suspicious event? Beyond having mitigation plans ready, it’s important to know where to report the incident (the Department of Health and Human Services has an infographic with advice for HIPAA-covered organizations).