Healthcare data and technology are the lynchpins of today’s advanced senior living industry. Working with our partner company Bright Spring Health Services, this article takes a deep dive into the vulnerabilities – and solutions – we face every day.
The healthcare industry is a literal goldmine for hackers. And every single human who intersects with it is a portal to its vast wealth.
Whether it’s the man picking up a prescription, a woman having an ultrasound, a medical supply rep visiting a physician’s office, a nurse taking a vital sign – even the CEO of a large nursing home chain – the people and the healthcare data they generate and manage are among the biggest cyber targets today.
People in senior living, including assisted living and long-term care, are potential portals to vast and valuable databases and in some cases, direct links to identities and big money.
The warning bell sounded somewhat unceremoniously in September 2014, when the FBI issued “Liaison Alert System #A-000039-TT,” which spelled out the first of many attacks on the healthcare sector, including senior living data.
In that bulletin, the agency noted with “high confidence” that it had observed a “malicious actor targeting healthcare related systems.” The weapon of choice: a “spear” phishing email with a vicious payload of malware that spread with impunity.
In the hacker’s sights: protected healthcare information (PHI) and personally identifiable information (PII), as well as the intellectual property and proprietary design specs of medical device companies.
The healthcare industry at the time was extremely vulnerable.
As Leading Age observed in its massive cybersecurity white paper, “Health care providers are among the most frequently pursued cyberattack targets for two reasons: the data stored in their systems is lucrative, and security is often weak compared to other industries; this is especially true for aging services providers handling the personal, financial, and health data of their residents and clients.”
Even small coordinated attacks then – and today – can profoundly impact scores of lives. In the year following the 2014 attack, the top 10 largest cyberattacks against health care organizations personally affected more than 35% of the entire U.S. population.
The biggest year for cyberattacks occurred three years later in 2017, when the credit records of 143 million people were hacked from Equifax. According to the Identity Theft Resource Center (ITRC), Equifax was among the nearly 1,600 data breaches (about four per day) that hit U.S. companies, exposing more than 178 million records. The breach volume was a 45% increase over the year before.
In spite of all of the people and vast resources dedicated to fighting cybercrimes, 2019 finds the healthcare industry still uncomfortably under-prepared, as a bipartisan congressional report found.
In its final report, the Committee on Homeland Security and Governmental Affairs announced that seven major healthcare agencies – including HHS, Housing and Urban Development and Social Security – had IT infrastructure vulnerabilities. In 2017 alone, 35,277 cyber incidents were reported across those seven agencies. Among the key vulnerabilities: outdated and unsupportable hardware and applications in myriad legacy computer systems, long neglected and uninstalled security patches, unaccounted IT asset inventories and vast amounts of unprotected consumer PII.
It’s no surprise that high-level industry executives were so forthcoming when The Health Management Academy, in partnership with the Center for Connected Medicine (CCM), conducted the annual Top of Mind for Top Health Systems survey. Major revelations: Thanks to the recent wave of server breaches, phishing and ransomware attacks, fewer than 20% of them reported having a high degree of confidence in their IT recovery and business continuity plans. Consequently, nearly 90% of executives said they would be investing significantly more in cybersecurity measures this year.
In early January 2019, the U.S. Department of Health and Human Services (HHS) painted an ominous picture of the year to come in its four-volume white paper, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.”
Ransomware attacks are expected to be eclipsed only by personal email phishing attacks. Other major types of vulnerabilities will include loss or theft of equipment or data, insider, accidental or intentional data loss; and attacks against connected medical devices (like pacemakers and implantable defibrillators) that may affect patient safety.
Today, long-term and post-acute care such as skilled nursing rehab and assisted living remains among the most vulnerable of all sectors in healthcare, largely because their level of IT sophistication and information security has conventionally trailed far behind that of the acute care sector, according to Leading Age’s Center for Aging Services Technologies (CAST).
The primary targets: electronic health records (EHRs), as well as PHI and PII records.
Their value would surprise most people.
A pilfered credit card is chump change on the black market, around $10-$15. One stolen healthcare data record with a social security number and birth date can be worth as much as $350. A fully populated health record can be worth about 300 times more. Many of these records are used to commit billing fraud.
Complicating matters is the proliferation of Internet-enabled devices among the Baby Boomer generation now flooding into senior living communities and bringing their data with them.
In its February 2019 report, “2019 Tech Trends and the 50+,” AARP revealed the following statistics:
Meanwhile, the people who care for all of these seniors now unwittingly pose security threats that didn’t exist 20 years ago. Their biggest exposure: email and texting. The target: easy money and access to private networks.
When network security provider Barracuda Networks compiled a list of the top 12 most common subject lines used in phishing emails targeting businesses, half included one or more of the following terms in their subject lines: “payment status,” “purchase,” “invoice due,” “direct deposit,” “expenses,” and “payroll.”
“One poorly trained staff member can compromise an entire organization’s database with just one click on a phishing email or inadequate password,” property management software provider Yardi notes in its recent report, “Senior Living Data Security.” A big reason for the vulnerability is the proliferation of tablets, laptops and cell phones most senior living employees use to conduct both personal and company business. IT executives are quick to point to mobile device management as a key area of protection in which many senior living communities are lacking.
Brian Barnes, chief information officer for Bright Spring Health Services, works for a company whose corporate network is routinely attacked by over 100 countries every day. None succeed.
Barnes described for us the most prevalent types of attacks and most vulnerable points of entry in senior living data.
Phishing attacks via email and social media interactions. “There are a lot of very sophisticated, organized state-run crime rings out there,” says Barnes, who closely monitors the company’s level of preparedness on a daily and nightly basis. By far the most common type of attack is phishing email that tries to lure employees into clicking on dangerous links and sharing information. None of the attacks ever succeeds because of Bright Spring’s level of protection. “We process millions of emails every month and just over half are safe,” Barnes says. The rest is useless stuff, spam or phishing attacks or impersonation attempts.”
Guest networks. Senior living communities now routinely offer guests and visitors the ability to use on-premises Wi-Fi. While it’s a welcome gesture, it can potentially expose the community to malware and hacking. The biggest risks are the bad actors no one sees coming. “This happens when someone walks into your environment and they either maliciously plug in something to your network or they inadvertently have a machine with viruses and other vulnerabilities on them,” says Barnes. One risk is when a guest is able to physically tap into a community’s network by way of an ethernet jack, a common connection in older buildings. Among the riskiest: when guests are able to operate a private, or “guest” network by way of a “hotspot” either on their own computer, a cell phone or standalone device. “These devices have security problems and are easy to hack,” Barnes says. “In skilled nursing facilities, these Wi-Fi hotspots can show up as multiple points of entry for attacks. In malicious cases people will often pose as cleaning people if they’re trying to hack and install these kinds of devices. And it’s very easy to do. This is a big vulnerability.”
Targeting powerful employees. Cybercriminals have begun targeting C-level individuals in various types of healthcare organizations, knowing they are the most likely to have deep pockets and access to vital internal networks and systems. It’s ubiquitous and affects scores of healthcare companies. “We experience several attacks like this every week,” Barnes says. None of the attacks are successful, of course, because of the rigid safeguards the company has in place. Some of the attacks are attempts to infiltrate an HR department and redirect payroll deposits. So-called “VIP impersonations” are among the most insidious. Highly paid executives are perfect targets because they are very busy and typically won’t miss an attack for several pay periods,” he adds. “Hackers in this scheme will usually pry into social media accounts like Facebook and LinkedIn, study voice and written mannerisms and then try to shadow them online.” Such attempts in senior living communities usually entail impersonating an executive in an attempt to do things like acquiring bank account information, submitting false invoices and redirecting vendor payments.
Barnes advises senior living communities to employ the following basic protections – safeguards that are in place for every Bright Spring and PharMerica client. “There are a number of things we do for customers that are important,” he says. “From an enterprise perspective, this is what we’re doing and how our facility clients benefit from it. Others could and should conduct similar efforts.”
With all of the attention being paid to computers, servers, cell phones and social media, there’s one overlooked cyber-threat placing millions of seniors at risk: Internet-enabled medical devices.
Today, hackers can, with relative ease, take control of an insulin pump, pacemaker or implantable defibrillator to cause harm or seek ransom. The problem has not escaped the attention of the Food and Drug Administration, which in early 2017 issued medical device cybersecurity guidelines for patients and residents.
The FDA’s recommendations included:
Barnes advises skilled nursing and assisted living communities who find themselves on the weak side of cybersecurity to first get an external security assessment of their building and devices.
“Hire a firm that specializes in it. Get a checkup,” he says. “They will assess the whole security posture of your organization on a number of dimensions and then give you recommendations. This gives a facility or community a game plan and shows it all of the areas where they are at risk and vulnerable. It also gives them options on fixing those vulnerabilities.”
Web and email filtering capability also is a must. “This is the broadest gate through which most bad stuff comes into any organization,” he says. “These are our front lines of defense, where we spend most of our money.”
Routine and regular employee education and training on safe cyber practices is also an essential part of keeping a long-term care facility or assisted living community secure.
Barnes also cautions providers from always assuming the “cloud” is the safest place to store important data. The operative word is certification. “Getting to and from the cloud, you cross through a lot of places, some of which aren’t really secure or even safe,” he says. “More important is the cloud services provider. Not all cloud services are safe.” Barnes says he believes there’s an increasing unwillingness of many cloud providers to certify the security of their environment “because they know if there’s a breach, the costs associated are a huge expense most organizations are unwilling to assume.” Walking away from such an arrangement is the best and only option.
In the end, perhaps your best security is in the people you hire.
“A company’s employees can be the most important resource for combating interlopers and developing a strong IT security culture,” SC Magazine author Karen Epper Hoffman writes in McKnight’s 2019 report, Technology: Changing the Future. “Information security increasingly is being seen as a people problem — with a human solution — rather than a technologic one.”
Indeed, as Barnes asserts, it is wrong to assume that every employee is a potential open door to cyber risk. “The vast majority of people we hire in this industry, or any for that matter, do not act maliciously and are honest,” says Barnes. Even so, all staff at Bright Spring and PharMerica are required to participate in extensive programs and certify in writing they understand policies and procedures.
Ensocare, an Internet security firm specializing in healthcare coordination issues, offers this additional cybersecurity advice for handling threats or incidents:
Finally, consider this comprehensive dedicated resource from Health & Human Services: “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients from Department of Health and Human Services.”
The senior living industry is extremely vulnerable to cyber-attacks and data breaches which carry serious and expensive consequences should protected healthcare information become exposed. Working with trusted partners who have robust protection in place, such as Bright Spring Health Services, PharMerica and ValueMed, is a good first step in protecting your skilled nursing facility or assisted living community.