Senior housing providers may not have been the target in the recent jaw-dropping hack that impacted at least 500 million Yahoo! accounts, or in several other high-profile hacks that made the news these past few months. But that doesn’t mean senior housing is immune to similarly devastating security breaches.
Some providers are already recognizing this as a problem and are consequently pouring money into insurance to protect against cybersecurity breaches. But of course, prevention is best.
To best protect against cybersecurity breaches, senior housing organizations should implement a strategy with three main parts, according to a recent white paper from senior housing technology and consulting firm Keystone Technologies.
The three legs senior housing providers should focus on? People, processes and technologies.
“Only by understanding the people, the processes and the technologies involved will [senior housing executives] be able to secure their systems and ensure the integrity of the enterprise,” the white paper says.
People and relationships
Senior housing organizations are complex and different from more consolidated organizations, the white paper notes. Specifically, from a cybersecurity perspective, senior housing companies often have several locations to monitor and different levels of employees who could potentially open the company up to a security breach.
A great deal of successful cyberattacks, for instance, start by opening an apparently harmless Web page or by downloading a seemingly innocent email attachment. When front-line senior living employees—caregivers, receptionists or otherwise—do any of these things, they make senior living organizations more vulnerable to security breaches.
“The truth is anyone in an organization who turns on a computer, opens an email, or uses his or her mobile phone for work is part of the chain of cybersecurity,” the white paper says.
Obviously, it’s key for a senior living organization to have a designated “IT person,” such as a chief technology officer or chief information officer. But it’s also critical that all of the senior housing organization’s business managers and property managers are fully invested in the cybersecurity of their employer.
“Anyone responsible for a business line needs to engage in cyber as one element in fulfilling that responsibility,” the white paper says.
This doesn’t mean that a senior living executive director, for instance, needs to know every little thing about cybersecurity. But he or she should know enough to keep their community safe.
“The clinical director doesn’t need to know how to configure a firewall, but he or she does need to understand something about the range of risks and the tools of remediation,” the white paper says.
Rules and parameters
Along those lines, it’s important that senior living organizations invest time and effort into cyber-training for their employees at all levels. The training should be “repeated and repeatedly reinvented,” as the cybersecurity landscape and cyberthreats are always changing, the white paper says.
Additionally, senior living organizations should set clear rules and processes for their employees to follow. The employees shouldn’t be allowed to use the same password for several log-ins, for example, and they shouldn’t have any of their passwords taped to their desktop monitors.
Senior living organizations can also set up a system of “least privilege,” which is the process of restricting each user’s technology access to only those areas he or she needs to use in order to carry out a specific business task.
“By limiting the data that a user can see and touch, administrators limit the possible avenues by which that user’s credentials could potentially be exploited,” the white paper says.
Tools and more
Technology is the cornerstone of any organization’s cybersecurity success, the white paper notes. Naturally, without the right technology in place to monitor a senior living organization’s cybersecurity, preventing data breaches is nearly impossible.
Consequently, senior housing providers should look into implementing various technologies, such as security information and event management systems (SIEMs), vulnerability scanners and network intrusion protection systems (NIPs), to better secure their organizations. But just having the tools in place isn’t enough.
“In cyber, there’s a big difference between information and intelligence,” the white paper concludes. “Defenders who put in place SIEM systems in order to monitor activity, but who do not implement sufficient analytics in order to turn those observations into meaningful intelligence, have only gone halfway there.”
Written by Mary Kate Nelson