Security

Securing the Connected Ecosystem of Senior Care

Post-acute and senior care organizations must prioritize cyber resilience and improve training and education to ensure operational success.

Liz Cramer

Liz Cramer is the Chief Post-Acute and Senior Care Strategist for CDW Healthcare. She has 20 years of multi-site experience in therapy/SNF/Senior Living operations and has a track record of building and leading strong, successful teams that work closely with executive and clinical operators to maximize workflows and operational efficiencies.

David Anderson

David Anderson is a healthcare strategist at CDW.

A number of cyber incidents that have affected health systems in recent years have also disrupted post-acute and senior care organizations.

During the 2025 Healthcare Information and Management Systems Society global conference and expo in Las Vegas, some senior care leaders shared their experiences from last year’s Change Healthcare attack.

Riverdale, N.Y.-based RiverSpring Living CIO David Finkelstein said that his organization used an electronic health record system vendor that relied on Change Healthcare for claims submissions. Due to the attack, it had to return to manual processes, affecting cash flow for at least a month.

Those kinds of disruptions can put organizations already operating on thin margins at serious business risk, which is why improving cyber resilience is imperative.

Additionally, senior care organizations have residents who are the most vulnerable to cyber-related scams. According to the Federal Trade Commission, the number of reports from older adults who lost $10,000 or more to scams targeting their financial security have increased fourfold from 2020 to 2024.

That’s why understanding the current security landscape, adopting increasingly resilient strategies and improving education and training, can help organizations face increasingly sophisticated cyberthreats, especially with the growth of artificial intelligence.

Click the banner to learn how tech eases operational challenges and improves resident experiences.

The Current Landscape for Post-Acute and Senior Care Organizations

Post-acute and senior care organizations vary widely in their cyber readiness: Some may be in the early stages of adoption, while others (possibly because they’ve experienced a cyber event of their own) have significantly strengthened their posture.

Part of the patchiness in updated security strategies may come from a lack of specialized internal resources, especially if an organization does not have the budget or the bandwidth to have an in-house security team stay on top of an ever-evolving regulatory environment.

During that same 2025 HIMSS session, Robert “Bob” Latz, CIO at St. Clairsville, Ohio-based Trinity Rehab Services, emphasized the intense competition for talent.

“I do think it’s a big deal when we’re talking about the post-acute care sector, and you’re trying to hire somebody for a cyber role, and a hospital that’s maybe 20 to 30 minutes away is also looking for somebody for cyber,” Latz said. “It changes the marketplace a bit.”

Finkelstein said that RiverSpring Living initially added an in-house cybersecurity role, which had regular turnover. After several years, the organization switched to a managed security service provider that offered around-the-clock monitoring.

Overall, organizations are starting to understand what they can and cannot handle. They are making an effort to strengthen their foundational systems and simplify their environments to be as manageable as possible. They are also identifying how gaps can be filled through partnerships, which may be even more cost-effective.

The Importance of Third-Party Risk Management

Previously, most IT outages stemmed from factors that an organization could address: a failed piece of network hardware or a weak internet connection. As key processes become more dependent on interoperability and the exchange of data, organizations need to be more prepared for risks that can happen outside of their control.

Third-party risk management is increasingly becoming a cornerstone of cybersecurity strategy, as the impacts of an outage can be not only technical but also operational. For instance, an outage could impact the revenue cycle, disrupting billing, which could have a long-lasting impact on an organization’s financial health.

Clinical resiliency is paramount; caregivers must have downtime procedures in place in the event a critical application goes offline. Does an organization have contingency plans should a system go offline for an hour, a day or even a week? That’s the level of preparedness organizations should strive for, especially in such interconnected environments.

Security Training and Education for Staff and Residents

The FTC reports that scammers often impersonate legitimate businesses and agencies, such as banks, tech providers or the Social Security Administration. The most common initial contact method is through a phone call; the second- and third-most common methods are online or pop-up ads and email.

Education and training for residents and staff need to adapt to the times, especially as malicious actors rely on generative AI tools to boost their phishing attempts. This can be challenging for post-acute and senior care organizations as they may have limited visibility to protect residents’ online access.

This article is part of HealthTech’s MonITor blog series.