Cyberattacks are still roiling aging services providers, as LeadingAge member The New Jewish Home learned firsthand. However, the good news is that you can take steps to protect your organization. “Hackers Target Eldercare Homes,” a recent article in The Wall Street Journal, describes how this New York health and rehabilitation care system spent six months researching unauthorized activity on its network—ultimately finding that the breach potentially affected more than 104,000 people’s data. As the article notes, legal action often follows such discoveries.

John DiMaggio, a CAST Commissioner and CEO of BlueOrange Compliance, a LeadingAge Bronze Partner with CAST Focus, shares his take on the article’s tips, plus measures that can keep your organization from following the same path.

1)          Ensure Your Organization Knows its Cybersecurity Limitations.

DiMaggio shared the following examples that the BlueOrange Compliance team has seen.

Leadership can introduce cybersecurity risks by not understanding the threats and the preventative measures required. If management and/or boards do not prioritize cybersecurity or allocate enough resources to mitigate threats, breaches can result, said DiMaggio. “Creating a culture of cybersecurity and establishing a risk tolerance starts with the board and leadership, which involves a base understanding of the risk to the organization.”

To minimize these risks, the Information Technology (IT) department must have specialized cybersecurity knowledge, plus cyber leadership or skills, either in house or through a contract with a knowledgeable firm. IT systems can be complex and interconnected; specialized expertise is needed to fully protect these systems.

Another potential oversight is for the IT team or leadership to assume that an external vendor or managed services provider (MSP) is properly managing cyberthreats. Organizations need to maintain internal awareness and oversight, even when relying on outside partners. Lastly, organizations should ensure that a third party is regularly validating security risk assessments, performing vulnerability scanning to identify issues with software patching, and conducting penetration testing to validate that security controls are operating effectively.

2)      Prepare for All Scenarios

As the article suggested, a multi-pronged approach is essential. “No one item can be relied upon for prevention,” said DiMaggio, who noted that bad actors have multiple ways to break into a system. They can attack humans via social engineering, exploit unpatched devices or software, and take advantage of misconfigured system software.

Threats evolve constantly. A recent scenario is that artificial intelligence (AI) can provide both safeguards and dangers. AI that helps organizations protect information is also assisting threat actors to more effectively attack organizations. “A good approach is implementing multiple layers of security so an attacker would require exploiting multiple security layers,” he said.

3)      Use Cybersecurity Resources to Protect Your Organization

DiMaggio recommended several resources to help aging services providers guard against cyberattacks.

The Health Industry Cybersecurity Practices (HICP) offers prescriptive security practices to guide an organization to improve their security and reduce risk. The HHS 405(d) Program, a collaborative effort between the Health Sector Coordinating Council and the federal government to align health care industry security practices, produces the HICP.

HICP provides practical guidance for “small” and “medium to large” organizations to serve various health care organizations and their supply chain vendors; many must comply with Health Insurance Portability and Accountability Act (HIPAA) regulations. Most senior living organizations fall into the “medium” category with dedicated IT staff, but without dedicated cyber security staff, DiMaggio said.

Many of the HICP security practices reduce risk, such as email protection and processes for granting and revoking access to systems and information. As such, providers can reference them when applying for cyber insurance. In addition, if an organization is attacked and there is evidence that it had implemented the HICP practices, the HIPAA Safe Harbor Law can potentially reduce fines and penalties.

As mentioned above, building a culture of cybersecurity and risk management is critical, and key HICP areas cover how to do so.

HICP also aligns with HIPAA and NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. This widely recognized catalog of security controls covers regular scanning and penetration testing to validate the controls are implemented and effective.

LeadingAge CAST Cybersecurity Resources

Providers can find ways to further improve their cybersecurity posture by accessing the LeadingAge CAST Cybersecurity Resources. A cybersecurity white paper, case studies, and a benchmarking questionnaire help to identify potential areas of risk within an organization.