Security

LeadingAge 2025: Securing a Vulnerable Industry Amid Emerging Threats

What baseline measures can senior care organizations take to improve data security? Industry leaders share their perspectives.

Teta Alim

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

Many of the cyberattacks and data breaches that make major headlines tend to highlight the impact on traditional healthcare providers, but senior care organizations get targeted as well.

In 2024, one New York-based senior care organization reported that unauthorized system access had potentially compromised the data of more than 104,000 people. And, according to a Wall Street Journal report, a Southern California-based senior care organization took months to notify more than 26,000 people of a 2023 data breach.

That’s why data security and compliance were top of mind for speakers at the 2025 LeadingAge Annual Meeting in Boston, especially for the leaders at Ohio-based senior care organization Eliza Jennings, who regularly discuss these topics at the annual conference.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

Vice President and Chief Legal Officer Jennifer Griveas stressed the importance of an updated HIPAA security rule risk analysis. Organizations often overlook this essential foundation for protecting sensitive data.

“Step one: If you have not done a HIPAA security rule risk analysis, you must do a HIPAA security rule risk analysis,” Griveas said.

She said that many of the penalties issued by the U.S. Department of Health and Human Services’ Office for Civil Rights to healthcare providers that experienced a breach were often due to a lack of that specific risk analysis.

Smaller organizations may be able to complete one themselves using freely available resources, but a partnership may be useful for those without dedicated IT security staff or for departments already stretched thin handling other priorities.

It’s also something that needs to be regularly maintained, because in this security landscape, a cyber event is a “when, not if” scenario. Add in the growth of tools and processes powered by artificial intelligence, and senior care organizations have more to consider when it comes to protecting personal health information.

“If you have that situation and then you have this breach, and the OCR wants to look at your security rule risk assessment, and you say, ‘Here it is from 2019,’ there is no way you are up to date in assessing your risk, especially pre-pandemic and now, post-AI introduction. Everything we’ve done is changing,” Griveas said.

This risk analysis is something senior organizations should not ignore, and it works as a helpful baseline as emerging technologies get added to an environment. It can help team members understand what’s part of their IT environment and who has access to it.

“People, I think, sometimes think of a HIPAA security rule as very technical, and it’s not. It’s structures,” she added.

Click the banner below to sign up for HealthTech’s weekly newsletter.

Vice President of IT and Chief Compliance Officer Michael Gray also emphasized the importance of updating knowledge about different cyberattacks. Five or six years ago, he noted, only a few hands would shoot up when attendees were asked if they knew what a ransomware attack was. Today, they are very familiar across the industry.

“If we’re not aware of those risks, and our staff don’t know what those risks are, we can’t really defend against them,” he said.

Malicious actors will now try to remain in a target organization’s environment for as long as possible and may even try multiple attacks. There are also initial access brokers who then sell the way in to others once they’ve cracked the door into an organization’s network. And with social engineering attempts growing more sophisticated, multifactor authentication is evolving to become more phishing-resistant.

Even if a senior care organization believes it is ready to face a cyber event, Gray said, long recovery times are inevitable, which means that teams across departments need to know how to keep operations going when systems are offline. At a tabletop exercise he attended, he said, one of the concerns was around whether younger employees knew how to chart on paper, so there had to be a consideration for who could do rapid training in paper charting.

“Even if you are extremely well prepared, it takes a long time to bring your systems back up. Your cyber insurance carrier and forensics company that they’re using, they have to be 100% sure that your environment is clean before they bring your systems back online,” Gray said.

It’s not just about having the best security tool stack; the people who make up an organization need to be well versed in the security strategy and regularly trained.

“We really are huge proponents of having the people with the right knowledge at the table, who are either in a leadership role or interacting with your governing board, advising the C-suite or in the C-suite, to be able to fully assess, ‘Are we doing what’s necessary so that we can have the protection we need?’” Griveas said.

Keep this page bookmarked for our coverage of the 2025 LeadingAge Annual Meeting and Expo. Follow us on X at @HealthTechMag and join the conversation at #LeadingAge25.