Cybersecurity should be a strategic priority for senior living providers, nursing homes, hospitals, physician and dental practices, and other facilities where sensitive personal data are kept and could be compromised without appropriate safeguards. Robust cybersecurity protocols, in fact, are as essential to resident and patient safety as any other accountability or quality control mechanism. Healthcare leaders, industry associations and even members of Congress all are pushing for healthcare organizations to go further to protect their data and that of those in their care.

There is no question the stakes are high. Care organizations generally are bigger targets than the average corporation, because bad actors bet they will be able to get their hands on Social Security numbers, bank details or emerging medical research and drug patents, to name a few of many examples. Cybercriminals also will assume that they hold most or all of the cards in such a situation, with organizations such as hospitals under extreme pressure to meet ransoms for the sake of patient safety.

Fixing a breach after the fact can come with monetary and reputational costs. Research compiled this year by the US Department of Health and Human Services points to healthcare-related data breaches having doubled over the past three years, noting that the average ransom demand reached nearly $250,000 in 2021, and that typical downtime, with critical systems rendered inoperable by an attack, increased from 18 to 22 days in a single year. 

None of this is to say that providers are helpless. Broadly speaking, you can take certain steps on both the resident side and provider-administrator side to mitigate risks and provide the maximum possible protection.

Some of those steps are fairly straightforward. For residents and their designated caregivers, multi-factor authentication should be the minimum standard for accessing confidential records. Users should be expected to verify their identities through at least one additional step, such as entering a one-time code sent via SMS message. Adaptive authentication steps also care monitor potential attempts at gaming the system, such as repeatedly entering the wrong password, while also preserving good faith assumptions.

Residents and their families also should have a basic awareness of the steps your organization is taking to protect their data. If they have any responsibilities — such as routinely changing their passwords on a patient portal — those should be made very clear and simple. Ultimately, the responsibility lies with the provider for data to be safeguarded.

Providers, owner-operators or administrators of healthcare organizations have a few other considerations to keep in mind, some of which will involve advocating for themselves and their needs in front of lawmakers and regulators. For one thing, HIPAA on its own isn’t a sufficient cybersecurity safeguard, even if its stipulations are followed to the letter. Providers need to know what other regulations are expected of them, depending on what exactly their organization does. The organization may fall under the umbrella of the Cybersecurity Information Sharing Act, for instance.

It is encouraging to see that legislators at the federal level are reexamining the role of cyber insurance as a safeguard. More should be done to incentivize small healthcare organizations, in particular, to take out policies sufficient to cover their likely risks. Minimum coverage provisions would be one strong step. Another, arguably, is shifting regulatory responses to cybersecurity crises and breaches from punitive to supportive, focusing less on punishing the victims of a cyber breach for negligence and more on enabling them to strengthen their defenses and learn lessons.

It also is worth noting that a large number of cybersecurity breaches originate from third-party vendors, suggesting that more must be done to patch up vendor vulnerabilities throughout the supply chain. At the very least, healthcare organizations have the right to fully understand the steps that third-party contractors are taking to firm up their cyber defenses. Draw up a risk matrix to visualize both strengths and potential pain points.

The adoption of any new service, software or product between the healthcare organization and the third-party vendor needs to be accompanied by a unique cybersecurity discussion. What steps have been taken to ensure safe and seamless system integration? Have all team members who will either use or get access to the software or product been trained on both its basic functions and any relevant security protocols? What gaps exist, real or potential? How are they being plugged, and how will both sides respond in the event a breach is discovered?

To receive bespoke advice and gain a better understanding of your organization’s unique risks, it is worth approaching a cybersecurity consultant who is skilled and experienced at working with companies in your industry. There is no reason to wait. Resident safety, quality of care and reputation all truly depend on it.

Mike Skinner is the founder and principal consultant of the Skinner Technology Group, a provider of IT managed services, business network management and cybersecurity consulting. He has more than 20 years of experience in IT and cybersecurity services across multiple industries.

The opinions expressed in each McKnight’s Senior Living marketplace column are those of the author and are not necessarily those of McKnight’s Senior Living.

Have a column idea? See our submission guidelines here.