Security

LeadingAge23: Why Senior Care Orgs Need to Prioritize Employee Security Training

Aging-services providers handle a lot of sensitive data, so continuous staff security training is crucial.

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

Not only do healthcare IT teams have to keep an eye on potential threats from outside their organizations, but they also need to stay on top of possible risks from within.

When it comes to data loss and exfiltration, for instance, malicious insiders are the No. 1 reason behind such instances, according to a recent report from Proofpoint and the Ponemon Institute. And, 47 percent of respondents said that they are very concerned that staff don’t understand the sensitivity and confidentiality of data they share through email.

Leaders of Ohio-based aging-services provider Eliza Jennings talked about critical security areas to target for staff training at senior care organizations during a session at the LeadingAge 2023 Annual Meeting and Expo in Chicago.

Vice President and Chief Legal Officer Jennifer Griveas and Vice President of IT Michael Gray discussed the importance of employee education, the need for security risk assessments and how the fluctuating workforce landscape impacts an organization’s safeguards at the “Tackling Technology-Related Risks with Targeted Training” session.

Click below to gain access to exclusive HealthTech content from LeadingAge and beyond.

Why Employee Training Is Key for Stronger Security

Healthcare organizations, including aging-services providers, handle a lot of valuable data that cybercriminals would like to access.

“We know that there are people out there trying to get our data and developing ways to break into our systems,” Gray said. “You can have the best security system, but if you leave the door unlocked, someone can just walk in. Oftentimes, our defenses are pointed outward, and we're not looking inward.”

He stressed the importance of developing a strong employee training program to improve an organization’s cybersecurity posture, especially as business email compromise and ransomware remain top threats. It only takes one careless moment or mistake for malicious actors to gain access.

Phishing techniques are becoming more sophisticated as cybercriminals conduct detailed research on employees outside an organization’s C-suite, Gray added. The use of artificial intelligence–powered tools to better target phishing attempts is a growing concern.

And previous ransomware victims run the risk of becoming repeat targets, he said, because malicious actors have already identified their weak defenses.

What are the top #security issues senior care organizations should focus on for 2024? @ElizaJennings leaders share their #HealthIT insights at #LeadingAge23: pic.twitter.com/Mi7UvDtDu1

— HealthTech Magazine is 🔜 to #LeadingAge23 (@HealthTechMag) November 7, 2023

That’s why conducting regular security risk assessments is a major step toward better security, Griveas said.

“A good security risk analysis isn't supertechnical,” she added. “It really is, do we know what we have? We need a device inventory. We know what's out there. We know what our policies are. Do we have encryption to protect our devices, our email communication? Getting your mind around that and understanding what you have is superimportant to be able to lay the foundation to actually train people.”

Having an extensive understanding of your environment is necessary, Griveas said, because organizations should operate on a “when, not if” assumption about the potential for cyberattacks.

“One of the elements that is just critical to training — especially leadership, governing bodies — is understanding what our obligations are under the law as it pertains to our technology and mitigating the risks; but also, how we can use good cyber hygiene to provide ourselves defenses if things do go wrong,” Griveas said.

She also stressed the importance of having a compliance program, which long-term care may not be as diligent about compared with other healthcare organizations.

Experts from Eliza Jennings outline the key areas of focus for organizationwide training.

Why Current Workforce Trends Poses Security Risks

As senior care organizations rely increasingly on teams of temporary workers across departments, they need better management of temporary credentials, which should be monitored and deactivated as soon as an employee no longer works for the organization. Universal login credentials may be useful for efficiency, but they’re not ideal from a security standpoint.

Training and management should also include the physical security of communities and healthcare facilities, where temporary maintenance workers, for instance, could be given a set of keys that aren’t returned after their work is done. “I think that we get a little complacent a lot of times with keys and access, especially with offboarding employees, making sure the keys are collected and we're documenting. So, include them in the training as well,” Gray said.

“#DataSecurity and #privacy is for every single discipline. It's not just for #IT." Well said, from @ElizaJennings leaders at #LeadingAge23 📝 pic.twitter.com/rHGmIV9OuG

— HealthTech Magazine is 🔜 to #LeadingAge23 (@HealthTechMag) November 7, 2023

Access management needs to include access to brick-and-mortar spaces as well. “Physical security is a very important part of the HIPAA Security Rule, and it's not technical at all. It's, where are you putting stuff, and are you locking the door? So, training on this isn't difficult —it’s literally, this door has to be locked at all times,” Griveas said.

Ultimately, stronger organizational security requires all critical stakeholders — including the IT department — to communicate with each other.

“A lot of times, the person with the most knowledge of the risks, how to handle the risks — have we made policies and the operational decisions that are related to those risks in the correct way? — that person is not at the table. So, that information never flows through to the rest of the company and all of the end users who need to have critical information,” Griveas said. “Please love your IT people. I don't care if you employ them or contract for them.”

Keep this page bookmarked for our coverage of the 2023 LeadingAge Annual Meeting and EXPO, taking place Nov. 5-8 in Chicago. Follow us on X (formerly Twitter) at @HealthTechMag and join the conversation at #LeadingAge23.