Security

LeadingAge24: How Can Senior Care Organizations Protect Themselves from Hackers?

It’s crucial for senior living and post-acute care organizations to create a security culture in addition to having the right technology controls in place to boost cybersecurity.

Jordan Scott

Twitter

Jordan Scott is the web editor for HealthTech. She is a multimedia journalist with experience in B2B publishing.

The cost of a data breach is highest for organizations in the healthcare industry, with the average cost of a breach at $9.77 million in 2024, according to IBM’s latest Cost of a Data Breach report. Phishing and stolen or compromised credentials were the two most common attack vectors this year.

This aligns with a finding from Verizon’s 2023 Data Breach Investigations Report: Nearly three-fourths of all data breaches involve a human element, whether that’s an error, privilege misuse, credential theft or social engineering (techniques used by a bad actor to convince a person to provide information or click a link).

“If you think about what that means, the technology you put in place isn’t what’s going to protect you; it’s the people who are behind those screens, and that’s who you need to focus on,” said Travis Gleinig, vice president and CIO at New Jersey-based United Methodist Communities, at the LeadingAge Annual Meeting in Nashville, Tenn.

During a session on cybersecurity for the aging-services industry, senior care and security experts discussed the ways organizations get hacked and what they can do to better protect patients, residents and businesses from evolving cyberthreats.

Click the banner below to find out how IAM improves healthcare security and simplifies access.

Senior Care Leaders Should Be Aware of Common Vulnerabilities

In addition to phishing and stolen or compromised credentials, other notable causes of data breaches include misconfiguration, business email compromise, zero-day vulnerabilities, unpatched known vulnerabilities and malicious insiders. And while malicious insiders account for only a small percentage of attack vectors (7%, according to the IBM report), it is the costliest form of attack, with an average cost of $4.99 million.

Organizations are especially vulnerable when they don’t prioritize staff training, said Steven VanderVelde, director of senior living partnerships at ProviNET Solutions. He explained that many organizations simply give up when faced with artificial intelligence-powered social engineering initiatives. Others have an absence of phishing awareness or incident reporting in their organization that adds to a culture of vulnerability.

“The mindset of ‘it’s going to happen anyway’ or ‘it’s not my responsibility’ is something we see a lot,” he said.

Gleinig added that if staff aren’t aware of the types of threats they’re facing, then it will be hard for an organization to identify those threats and mitigate them.

AI-generated phishing emails remove the language barrier for bad actors and rapidly increase the speed at which they can draft and send phishing attempts. When an employee clicks the link in one of these emails, they may be taken to an AI-generated site that looks professional and legitimate. AI can also be used to generate deepfakes as part of a social engineering exploit to get people to send money or hand over credentials.

EXPLORE: Getting identity management right is crucial for healthcare security.

“AI technology is so accessible that you don’t have to be a computer whiz to use deepfake tools,” says VanderVelde. “It’s scary to think about how accessible this is.”

John DiMaggio, CEO at BlueOrange Compliance, a company that provides ethical hacking services, explained that most attacks are financially motivated, while others are focused on gaining access to sensitive information. Bad actors do this by getting an employee to give them their password, guessing a password, finding a password on the dark web, or taking advantage of system configuration settings. Hackers are also aware of which known vulnerabilities don’t yet have patches available and how to take advantage of those weak spots.

Once they are in a senior care organization’s network, they can gain domain admin — an automatically created security group in Active Directory that is like a master key to a house — and traverse the network to attain valuable data or to plant ransomware.

“One stat I’ve encountered in my career is 90%, which is the percentage of times that white-hat hackers get domain admin,” said DiMaggio. “It’s easy to do, so make sure your defenses are up.”

“Remember, that’s also 90% of people who actually decide to do a penetration test,” added Gleinig.

How to Better Protect Senior Care Organizations from Cyberthreats

A big part of preventing cyberthreats comes down to creating a culture of security and implementing best practices, such as not using shared drives, not sending important information to a personal email account, not sharing login credentials, having nonsecure bring-your-own-device policies and weak password policies. Gleinig told the audience that employees shouldn’t be using the same passwords at work that they’re using at home.

He also warned senior care professionals against leaving medical records or other sensitive information up on a computer screen that’s visible from a doorway or window.

“There are things we see and accept in a senior living setting that if seen in an acute setting would end up with a lawsuit,” said Gleinig. “We have to have the same exact mentality as acute-care organizations because we’re held to the same standard. Just because we’re in a tiny community bubble doesn’t mean there aren’t people who shouldn’t have access to that information.”

Organizations should create a culture where anyone can report anything. Gleinig said that the sooner people report a suspicious email or that they clicked on a suspicious link, the better. He also emphasized the importance of continuous education about how each role can engage in cybersecurity. DiMaggio added that there should be special training for the finance team since its role is associated with money and requires specialized training.

The technology you put in place isn’t what’s going to protect you; it’s the people who are behind those screens, and that’s who you need to focus on.”

Travis Gleinig Vice President and CIO, United Methodist Communities

DiMaggio also suggested that senior care organizations do all the penetration testing they can to identify vulnerabilities, remediate and make it harder for bad guys to enter their environment.

“Also, be prepared for the worst with incident response and disaster recovery plans,” he said. “Those are things you can do today.”

VanderVelde pointed out that data breach costs are rising for companies with fewer than 500 employees, and those costs go beyond paying increasingly higher ransoms. Remediation costs, legal costs, lost revenue from downtime, credit and identity protection services, government fines and loss of existing customers due to reputational damage are all costs senior care organizations pay when they are the target of a successful attack.

The cost for cyber insurance is also on the rise, which has led to a growing need for communication between IT and an organization’s leadership. VanderVelde said that the CFO is usually the one filling out forms for cyber insurance, and if they’re not familiar with the security controls in place, they could report that the organization uses multifactor authentication when it doesn’t. The result could be that the insurance company doesn’t pay out in the event of a cyberattack.

Another critical best practice: IT teams must effectively communicate to leadership the trade-off between security and productivity. Gleinig said that an organization could have the most secure network possible, but with all of those security controls in place, it might be hard for people to get work done. In every industry, there is a balance that organizations need to strike between protecting their assets and ensuring efficient workflows. That’s where tools such as single sign-on come in.

DiMaggio added that leadership should be aware of the organization’s risk tolerance in order to make informed decisions related to cybersecurity.

Keep this page bookmarked for our coverage of the 2024 LeadingAge Annual Meeting in Nashville, Tenn. Follow us on the social platform X at @HealthTechMag and join the conversation at #LeadingAge24.