Senior Living Articles
Cybersecurity Issues In Long-Term Care And Senior Living: Know The Threats, Adopt Safe PracticesNovember 10, 2020
Healthcare data and technology are the lynchpins of today’s advanced senior living industry. Working with our partner company Bright Spring Health Services, this article takes a deep dive into the vulnerabilities – and solutions – we face every day.
The healthcare industry is a literal goldmine for hackers. And every single human who intersects with it is a portal to its vast wealth.
Whether it’s the man picking up a prescription, a woman having an ultrasound, a medical supply rep visiting a physician’s office, a nurse taking a vital sign – even the CEO of a large nursing home chain – the people and the healthcare data they generate and manage are among the biggest cyber targets today.
People in senior living, including assisted living and long-term care, are potential portals to vast and valuable databases and in some cases, direct links to identities and big money.
The warning bell sounded somewhat unceremoniously in September 2014, when the FBI issued “Liaison Alert System #A-000039-TT,” which spelled out the first of many attacks on the healthcare sector, including senior living data.
In that bulletin, the agency noted with “high confidence” that it had observed a “malicious actor targeting healthcare related systems.” The weapon of choice: a “spear” phishing email with a vicious payload of malware that spread with impunity.
In the hacker’s sights: protected healthcare information (PHI) and personally identifiable information (PII), as well as the intellectual property and proprietary design specs of medical device companies.
The healthcare industry at the time was extremely vulnerable.
As Leading Age observed in its massive cybersecurity white paper, “Health care providers are among the most frequently pursued cyberattack targets for two reasons: the data stored in their systems is lucrative, and security is often weak compared to other industries; this is especially true for aging services providers handling the personal, financial, and health data of their residents and clients.”
Even small coordinated attacks then – and today – can profoundly impact scores of lives. In the year following the 2014 attack, the top 10 largest cyberattacks against health care organizations personally affected more than 35% of the entire U.S. population.
The biggest year for cyberattacks occurred three years later in 2017, when the credit records of 143 million people were hacked from Equifax. According to the Identity Theft Resource Center (ITRC), Equifax was among the nearly 1,600 data breaches (about four per day) that hit U.S. companies, exposing more than 178 million records. The breach volume was a 45% increase over the year before.
In spite of all of the people and vast resources dedicated to fighting cybercrimes, 2019 finds the healthcare industry still uncomfortably under-prepared, as a bipartisan congressional report found.
In its final report, the Committee on Homeland Security and Governmental Affairs announced that seven major healthcare agencies – including HHS, Housing and Urban Development and Social Security – had IT infrastructure vulnerabilities. In 2017 alone, 35,277 cyber incidents were reported across those seven agencies. Among the key vulnerabilities: outdated and unsupportable hardware and applications in myriad legacy computer systems, long neglected and uninstalled security patches, unaccounted IT asset inventories and vast amounts of unprotected consumer PII.
It’s no surprise that high-level industry executives were so forthcoming when The Health Management Academy, in partnership with the Center for Connected Medicine (CCM), conducted the annual Top of Mind for Top Health Systems survey. Major revelations: Thanks to the recent wave of server breaches, phishing and ransomware attacks, fewer than 20% of them reported having a high degree of confidence in their IT recovery and business continuity plans. Consequently, nearly 90% of executives said they would be investing significantly more in cybersecurity measures this year.
In early January 2019, the U.S. Department of Health and Human Services (HHS) painted an ominous picture of the year to come in its four-volume white paper, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.”
Ransomware attacks are expected to be eclipsed only by personal email phishing attacks. Other major types of vulnerabilities will include loss or theft of equipment or data, insider, accidental or intentional data loss; and attacks against connected medical devices (like pacemakers and implantable defibrillators) that may affect patient safety.
Cybersecurity in long-term care
Today, long-term and post-acute care such as skilled nursing rehab and assisted living remains among the most vulnerable of all sectors in healthcare, largely because their level of IT sophistication and information security has conventionally trailed far behind that of the acute care sector, according to Leading Age’s Center for Aging Services Technologies (CAST).
The primary targets: electronic health records (EHRs), as well as PHI and PII records.
Their value would surprise most people.
A pilfered credit card is chump change on the black market, around $10-$15. One stolen healthcare data record with a social security number and birth date can be worth as much as $350. A fully populated health record can be worth about 300 times more. Many of these records are used to commit billing fraud.
Complicating matters is the proliferation of Internet-enabled devices among the Baby Boomer generation now flooding into senior living communities and bringing their data with them.
In its February 2019 report, “2019 Tech Trends and the 50+,” AARP revealed the following statistics:
- 94% of people over 50 use Internet-enabled technology to stay connected to friends and loved ones.
- In one year, use of home assistants such as Amazon Alexa or Google Home almost doubled among people 50 and older, from 7 to 13%.
- In 2018, virtual-reality devices grew 44% in popularity among those over 50.
- Almost one-quarter of those over 50 have smart cars with driver assistance (automatic parking, emergency braking, lane-change detection, collision avoidance), and 46% plan to make their next car a smart car.
- More people over 50 use computers and smartphones to play games (63%) than to watch movies or TV (57%); almost one-quarter use them to take online classes for degrees or certificates, or for how-to tutorials.
Meanwhile, the people who care for all of these seniors now unwittingly pose security threats that didn’t exist 20 years ago. Their biggest exposure: email and texting. The target: easy money and access to private networks.
When network security provider Barracuda Networks compiled a list of the top 12 most common subject lines used in phishing emails targeting businesses, half included one or more of the following terms in their subject lines: “payment status,” “purchase,” “invoice due,” “direct deposit,” “expenses,” and “payroll.”
“One poorly trained staff member can compromise an entire organization’s database with just one click on a phishing email or inadequate password,” property management software provider Yardi notes in its recent report, “Senior Living Data Security.” A big reason for the vulnerability is the proliferation of tablets, laptops and cell phones most senior living employees use to conduct both personal and company business. IT executives are quick to point to mobile device management as a key area of protection in which many senior living communities are lacking.
Brian Barnes, chief information officer for Bright Spring Health Services, works for a company whose corporate network is routinely attacked by over 100 countries every day. None succeed.
Barnes described for us the most prevalent types of attacks and most vulnerable points of entry in senior living data.
Phishing attacks via email and social media interactions. “There are a lot of very sophisticated, organized state-run crime rings out there,” says Barnes, who closely monitors the company’s level of preparedness on a daily and nightly basis. By far the most common type of attack is phishing email that tries to lure employees into clicking on dangerous links and sharing information. None of the attacks ever succeeds because of Bright Spring’s level of protection. “We process millions of emails every month and just over half are safe,” Barnes says. The rest is useless stuff, spam or phishing attacks or impersonation attempts.”
Guest networks. Senior living communities now routinely offer guests and visitors the ability to use on-premises Wi-Fi. While it’s a welcome gesture, it can potentially expose the community to malware and hacking. The biggest risks are the bad actors no one sees coming. “This happens when someone walks into your environment and they either maliciously plug in something to your network or they inadvertently have a machine with viruses and other vulnerabilities on them,” says Barnes. One risk is when a guest is able to physically tap into a community’s network by way of an ethernet jack, a common connection in older buildings. Among the riskiest: when guests are able to operate a private, or “guest” network by way of a “hotspot” either on their own computer, a cell phone or standalone device. “These devices have security problems and are easy to hack,” Barnes says. “In skilled nursing facilities, these Wi-Fi hotspots can show up as multiple points of entry for attacks. In malicious cases people will often pose as cleaning people if they’re trying to hack and install these kinds of devices. And it’s very easy to do. This is a big vulnerability.”
Targeting powerful employees. Cybercriminals have begun targeting C-level individuals in various types of healthcare organizations, knowing they are the most likely to have deep pockets and access to vital internal networks and systems. It’s ubiquitous and affects scores of healthcare companies. “We experience several attacks like this every week,” Barnes says. None of the attacks are successful, of course, because of the rigid safeguards the company has in place. Some of the attacks are attempts to infiltrate an HR department and redirect payroll deposits. So-called “VIP impersonations” are among the most insidious. Highly paid executives are perfect targets because they are very busy and typically won’t miss an attack for several pay periods,” he adds. “Hackers in this scheme will usually pry into social media accounts like Facebook and LinkedIn, study voice and written mannerisms and then try to shadow them online.” Such attempts in senior living communities usually entail impersonating an executive in an attempt to do things like acquiring bank account information, submitting false invoices and redirecting vendor payments.
How senior living communities can protect themselves
Barnes advises senior living communities to employ the following basic protections – safeguards that are in place for every Bright Spring and PharMerica client. “There are a number of things we do for customers that are important,” he says. “From an enterprise perspective, this is what we’re doing and how our facility clients benefit from it. Others could and should conduct similar efforts.”
- Encryption. Everything existing or shared on computing and communication devices, including protected health information, is encrypted. “We encrypt everything – laptops, mobile devices, servers and all data that we transmit,” Barnes says. “Skilled nursing facilities and assisted living communities should encrypt everything they have – not only what is stored but everything transmitted, including email, texts and faxes.” He also advises providers to implement clear policies and procedures around the safe use of personal computing and communication devices on the job.
- Identity management. “This is a system that understands who you are everywhere you go,” Barnes says. Whether it’s a mobile phone, a tablet or a laptop or desktop – anywhere staff is logging in at any given time, they have an appropriate ID management system in place such as multi-factor authentication or two-step verification. Barnes advises providers to forbid and heavily penalize ID and password sharing of any kind. “We spend millions of dollars on security every year and our customers benefit from that investment every day,” he adds.
- Intrusion detection scanning. This is software that is constantly searching and rooting out potential intruders. The software is always looking at electronic patterns of behavior, scanning the network for viruses, malware and ransomware. “It’s not unlike a team of security guards roaming the building 24/7/365.”
- Filtering. This technology essentially stops bad things from happening before they reach individuals. “On the web and email side, we have systems that test out links and open up messages before someone has a chance to open an email or other kind of communication,” Barnes says. “We process millions of emails each month. About half of them are thrown away and never make it to someone’s computer or cell phone.”
- External security assessments. “Trusting your own security department to evaluate itself is like doing your own performance reviews,” says Barnes. “Such assessments provide assurances to all of our clients – skilled nursing facilities and assisted living communities included – that we’re not just saying ‘trust us” because we’re great.’ We’re saying ‘trust us because we have external certified organizations that certify us and look deeply into what we do in terms of our own security practices. They also look at our practices and benchmark them against top performers across the industry.”
- Security event management. This technology constantly monitors events happening across the organization. For example, the software will disallow an employee to plug in a flash drive from home if an instant scan detects a virus. It also powers off the computer and the individual’s corporate account and notifies the individual’s manager of the policy violation. “The old days of thinking someone will eventually notice a problem are gone,” he says. “You can’t do that in a world in which you have over 100 countries constantly attacking you. This is a multi-million-dollar investment we put in that our customers benefit from every second of every day. Smaller pharmacy operations aren’t going to spend that kind of money to protect skilled nursing and assisted living customers. Our scalability and size allow us to spend those kinds of dollars on these massive security systems that protect them.”
With all of the attention being paid to computers, servers, cell phones and social media, there’s one overlooked cyber-threat placing millions of seniors at risk: Internet-enabled medical devices.
Today, hackers can, with relative ease, take control of an insulin pump, pacemaker or implantable defibrillator to cause harm or seek ransom. The problem has not escaped the attention of the Food and Drug Administration, which in early 2017 issued medical device cybersecurity guidelines for patients and residents.
The FDA’s recommendations included:
- Practicing good cyber hygiene, which includes ongoing assessment of risks and opportunities to reduce cybersecurity threats;
- Developing a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities;
- Validating software to reduce potential vulnerabilities, without creating new vulnerabilities; and
- Deploying mitigations, such as software patches, to address cybersecurity issues early.
Barnes advises skilled nursing and assisted living communities who find themselves on the weak side of cybersecurity to first get an external security assessment of their building and devices.
“Hire a firm that specializes in it. Get a checkup,” he says. “They will assess the whole security posture of your organization on a number of dimensions and then give you recommendations. This gives a facility or community a game plan and shows it all of the areas where they are at risk and vulnerable. It also gives them options on fixing those vulnerabilities.”
Web and email filtering capability also is a must. “This is the broadest gate through which most bad stuff comes into any organization,” he says. “These are our front lines of defense, where we spend most of our money.”
Routine and regular employee education and training on safe cyber practices is also an essential part of keeping a long-term care facility or assisted living community secure.
Barnes also cautions providers from always assuming the “cloud” is the safest place to store important data. The operative word is certification. “Getting to and from the cloud, you cross through a lot of places, some of which aren’t really secure or even safe,” he says. “More important is the cloud services provider. Not all cloud services are safe.” Barnes says he believes there’s an increasing unwillingness of many cloud providers to certify the security of their environment “because they know if there’s a breach, the costs associated are a huge expense most organizations are unwilling to assume.” Walking away from such an arrangement is the best and only option.
In the end, perhaps your best security is in the people you hire.
“A company’s employees can be the most important resource for combating interlopers and developing a strong IT security culture,” SC Magazine author Karen Epper Hoffman writes in McKnight’s 2019 report, Technology: Changing the Future. “Information security increasingly is being seen as a people problem — with a human solution — rather than a technologic one.”
Indeed, as Barnes asserts, it is wrong to assume that every employee is a potential open door to cyber risk. “The vast majority of people we hire in this industry, or any for that matter, do not act maliciously and are honest,” says Barnes. Even so, all staff at Bright Spring and PharMerica are required to participate in extensive programs and certify in writing they understand policies and procedures.
Ensocare, an Internet security firm specializing in healthcare coordination issues, offers this additional cybersecurity advice for handling threats or incidents:
- Create a plan. Create an incident response plan ahead of time. The plan should include a key contact, how they should be contacted and which critical pieces of information are needed to aid in all phases of a response. Additional information should include things like port numbers, URLs, system or network diagrams or other documentation that will aid in the containment of the threat.
- React immediately. Once a potential threat has been detected, dispatch an incident response team to investigate, isolate and contain the damage.
- Communicate openly and honestly. “Communication of the threat begins internally. If an incursion has affected one device, application or system, it’s possible this could be the beginning of a coordinated attack at an organizational level. It’s therefore important to be honest yet not alarmist about what’s happening. Your incident response plan should include communicating the incursion to the entire organization and a means of getting information out quickly and efficiently.”
- Learn from an incident to help plan for the future. After a threat is contained and neutralized, develop a plan to handle similar events in the future.
Finally, consider this comprehensive dedicated resource from Health & Human Services: “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients from Department of Health and Human Services.”
The senior living industry is extremely vulnerable to cyber-attacks and data breaches which carry serious and expensive consequences should protected healthcare information become exposed. Working with trusted partners who have robust protection in place, such as Bright Spring Health Services, PharMerica and ValueMed, is a good first step in protecting your skilled nursing facility or assisted living community.