Just two months into the year and 2015 has already been labeled “The Year of the Healthcare Hack” by cybersecurity experts and national media. But while a massive data breach has yet to target senior living, the industry—like its broader health care peers—is far from hack-proof.
It doesn’t matter if a company operates five communities or more than 100 communities. A lack of industry-wide best practices, along with the growing sophistication of cyber threats in an increasingly digital world, puts a target on the back of any company that collects and stores sensitive data, cybersecurity experts agree.
The ever-present threat of a health care hacker attack manifested earlier this month when one of the nation’s largest health insurers, Anthem, Inc. (NYSE: WLP) — formerly WellPoint, Inc. — fell victim to one of the biggest data breaches ever disclosed by a health care company.
The largest insurer in the U.S. in terms of market share, according to the American Medical Association’s most recent report on health insurance competition, Anthem’s breach leaked certain personal information of 80 million of its customers, or roughly 1 in 4 Americans.
Coupling the Anthem hack with the events that transpired this winter at Sony Pictures Entertainment, which led the production company to alter its plans to release the film The Interview and shed a top executive —with losses including $15 million in “investigation and remediation costs,” Sony Corp. (NYSE: SNE) executives said during an earnings call in early February — it is evident that cybersecurity risks transcend all industries.
Like Target, like senior living
Health care reforms have given way to a shift toward adopting electronic reporting and cloud-based storage of information, but they’ve also inadvertently increased the risks of potentially exposing sensitive data recorded by technologies like electronic health records.
“Senior living facilities are not unlike other organizations that would hold sensitive resident, patient and employee information,” says Randy Stimmell, senior vice president and client executive – risk specialties for Willis North America, a unit of global risk advisor, insurance and reinsurance broker Willis Group Holdings.
Because senior living facilities also store financial information on residents such as credit card or other banking info, they increase their exposure to hackers; however, hackers can fetch a higher price on the black market for personal health info compared to something like credit card data, Stimmell says.
There is also the argument that the health care industry in general has been much slower at adopting new tech protection compared to other industries. And as national, big-name retailers like Target (NYSE: TGT) and Home Depot (NYSE: HD) have fallen prey to data breaches —two highly-publicized hacks that leaked credit card information of 40 million and 56 million shoppers, respectively — smaller corporations are just as vulnerable to hackers.
“Companies don’t have to be high profile retail operations to be susceptible to a breach,” says Peter Smith, senior vice president at Willis’ FINEX division, a specialty practice that focuses on financial and executive risk, including cyber risk.
Senior living has not been completely untouched from data breaches, albeit those reported have been on a much smaller scale than Target- or Home Depot-sized attacks.
Last February, an unauthorized third party obtained access to the vendor credentials of the company providing payroll services to Assisted Living Concepts (now Enlivant), gaining access to records containing the names, addresses, birth dates, Social Security and pay information of 43,600 former and current employees. In its actions to prevent further unauthorized access to its systems, the company deactivated the compromised user credentials and took the payroll systems offline until the issues were resolved.
In April 2014, the Michigan Department of Community Health informed 2,595 individuals that their personal data, including Social Security and Medicaid information, was compromised after a laptop and flash drive were stolen from a State Long-Term Care Ombudsman’s Office employee in January.
Liability
As stewards of sensitive resident and employee data, it is imperative for senior living companies to protect their systems against potential cyber attacks. Unfortunately, there is not an industry-wide, cut-and-dried solution for operators to follow.
“It’s hard to know what adequate security protection is,” says Lisa Clark, a health care lawyer and partner at Duane Morris LLP in Philadelphia. “The industry standard for what the best protection is changes every day.”
Clark, whose areas of specialization include cybersecurity and the Health Insurance Portability and Accountability Act, has responded to a number of data breaches from long-term care clients, mostly hospitals and skilled nursing facilities. In her more than 25 years of experience, Clark has seen firsthand the severity of consequences that result from data breaches in the health care sector.
One client, the name of whom Clark chose not to disclose, went into bankruptcy after falling victim to a breach that affected about 14,000 people across all 50 states.
“They just couldn’t pay for the clean up costs of the breach,” Clark said.
A multi-pronged approach
For companies operating in the long-term care space, the challenges lie in determining the right way to address cybersecurity, says Shawn Wiora, chief information officer and chief information security officer for Creative Solutions in HealthCare, a Texas-based owner and operator of nearly 50 assisted living and skilled nursing communities concentrated mostly in Texas, with facilities also in Georgia and Arizona.
“Data security should be top of mind for every C-level and management-level executive in the industry, but it’s not,” Wiora says. “[Senior living] has been fortunate from the perspective that the monsters out there haven’t focused on the industry as much as others, but that still doesn’t absolve management teams.”
Creative Solutions in HealthCare takes a multi-pronged approach to cybersecurity. At the highest level, this means looking at the standards outlined in regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and National Institute of Standards and Technology (NIST).
The company performs what Wiora calls “crosswalks,” a methodology that cross examines corresponding requirements from HIPAA and aligns them with requirements from HITECH and NIST.
Modeling one’s cybersecurity strategy in the vein of federal regulations goes beyond simpler methods like running intrusion detection software, password protection and encrypting data systems—all of which can be used to protect against cyber threat, though providers should be warned these methods are not bulletproof.
In the event of a breach, however, having adhered to a framework the government employs would add to a provider’s defense once authorities are called to investigate the source of the attack.
“The question then becomes if every long-term care provider should start preparing for interaction with the FBI in anticipation of an inevitable breach,” Wiora says. “And if you do, are you prepared to talk about your end-to-end security solution?”
The jury is still out in the industry as to what the best method, if any exists, there is to safeguard sensitive data against hackers. And since there is no way to be 100% HIPAA compliant or protected from a cyber attack, therein lies the rub.
“There’s no way to be 100% covered,” Clark says. “These days, technology is central to health care, and that makes privacy and security central to health care, too. All you can do is meet the government standards and best industry practices.”
Written by Jason Oliva
Companies featured in this article:
