With frequent reports of older adults and health care organizations targeted in scams, LeadingAge called on an expert to answer critical cybersecurity questions for members.
We know cybersecurity is a priority for many LeadingAge members in care settings across the continuum, so we asked the CEO of BlueOrange Compliance, John DiMaggio, to give an overview of what providers need to know. Also, be sure to register for the upcoming “Cybersecurity: Pre-Breach Preparedness” webinar on October 17—a live event in which DiMaggio will speak about how members can work with IT teams to protect their organizations from health care security breaches.
Q: Why do LeadingAge members need to prepare for cybersecurity threats?
Cyber risks can affect resident safety, degrade community reputation, and prove costly due to remediation, legal costs, potential regulatory fines, penalties, and civil litigation. Health care is still a prime target for cybercriminals due to the high street value of health information and the urgency to continue health care operations.
Residents and families put their complete trust in communities to keep them safe, and an essential part of that is cybersecurity. Communities must protect resident data—including health records, financial information, and other personal data. In the wrong hands, this information can be used for identity theft, fraud, or other malicious purposes. Also, should resident data become compromised, cybercriminals could use that information to conduct targeted scams against residents themselves through email or by phone. Preparation is key due to the ever-increasing likelihood that a cyber event will happen.
Q: What key prevention strategies can bolster cybersecurity in senior living communities?
I believe it requires a two-pronged approach. The first, and usually not obvious, is the vital education of boards and senior management. Boards need to understand cyber risks and their ramifications in order to provide oversight, proper resource allocation, and determine the level of risk the organization is willing to accept. BlueOrange frequently presents to boards and executive teams, generating great questions and dialogue.
The second is an execution strategy. Communities must conduct regular risk assessments and training to identify potential vulnerabilities and threats specific to their community. This is, in fact, a regulatory requirement for communities covered under HIPAA. Security isn’t just firewalls, antivirus, etc.—security involves people, processes, and administration. A thorough risk assessment will identify gaps prioritized by risk level.
Organizations must also have regular testing to validate that their controls are working effectively. One key type of test is a penetration test or pen test. This is a human-led simulated cyberattack against a computer system to check for vulnerabilities, including technology, processes, and people. Other regular testing includes vulnerability scanning which methodically checks to ensure your software has the latest security updates with no known vulnerabilities. We’ve seen vulnerability scanning and penetration testing used interchangeably, but they are quite different.
Two final key areas are employee training, as most cyberattacks are initiated with some human involvement, and vendor management. Vendors play an important role in running your business, so identifying and managing vendors based on risk level is critical as your business is ultimately responsible.
Q: Which cybersecurity best practices do you consider most vital for senior living communities?
Several best practices are now required items or considered “underwriting risk levers” by cyber insurance, and using risk assessments to regularly identify your current state against these constantly evolving threats is now part of business. Best practices include:
multifactor authentication (requiring a code or other factor in addition to username/password)
properly functioning and configured backups
technical tools/monitoring for devices
website user tracking
Q: What are the most promising emerging trends in cybersecurity for our sector?
There are many, however, one trend that’s generating attention and could be the source of future articles is the growth of Artificial Intelligence (AI) and Machine Learning (ML). These technologies are used for advanced threat detection and automated incident response, which can help senior living communities identify and respond to cyberthreats more effectively and in real time. Unfortunately, AI and ML also provide benefits to cybercriminals by crafting more effective and targeted attacks.
Another emerging technology is Zero Trust Architecture, a security model that assumes that no one can be trusted by default and constantly limits the information and access available to the user based on need.
Q: How can staff training and education play a role in preventing cyberthreats?
Regular security training for staff is critical—as again, most cyberattacks target some form of human weakness such as our trusting nature, which causes us to click on malicious email links or perform a task requested by a “trusted source.”
From an organizational level, it is recommended to conduct an incident response tabletop exercise. The exercise uses a real-time, simulated cyberattack and response scenario to identify security gaps and educational needs. The multi-disciplinary process involves executives, IT, and business management and can help reduce the negative impact of a real security incident.
Last, resident training can reduce the likelihood of residents getting scammed through their personal technology.
Q: What’s your best advice for LeadingAge members just getting started in addressing cybersecurity?
Educate boards and leadership.
Conduct a risk assessment to determine your current state vs. desired state.
Effective cybersecurity can’t operate well in a silo; find internal resources to champion cybersecurity and develop a drumbeat to keep ahead of evolving threats, and provide status to leadership.
John DiMaggio is the Co-Founder and CEO of BlueOrange Compliance, a leading national health care information security and compliance firm dedicated to helping health care organizations and their business associates assess and manage cybersecurity and HIPAA compliance risks in a constantly evolving cyber landscape.