Don’t Get Hacked: How To Protect Senior Living From Cyber Crime

May 15, 2017, Alana Stramowski, Senior Housing News - The 21st Century Senior Living Community is a series brought to you by CDW, a provider of technology solutions and services focused exclusively on serving the healthcare marketplace.  The series takes a clear-eyed look at how leading providers and their partners are creating the next generation of senior living communities by raising the bar on services, design, and technology.

The global “ransomware” cyber attack taking place in 150 countries around the world serves as a reminder: 21st-century technology is reinventing senior living in positive ways, but creating new risks as well.  Even before the massive attack was launched last Friday, targeting health care organizations among many others, smart providers were implementing strategies to beef up safeguards and taking steps to prevent future breaches.

All industries are extremely vulnerable to cyber attacks but post-attack cleanup is much more expensive in health care compared to other sectors, according to Joe Velderman, director of consulting services at full-service IT company ProviNET Solutions.

When an attack happens, there is always a cost that companies will pay to have a lawyer address the consequences of compromised information, and/or have better security put in place.

The average cost per lost or stolen non-health care record is $217 per person/per incident, but if the record is of a health care nature, the cost increases to $398 per person/per incident, Velderman explained recently at the LeadingAge Illinois Annual Meeting and Expo in Chicago.

In the latest attack, which was first detected Friday, there were a number of companies hit by the ransomware.  The attackers demanded users pay in Bitcoins in order to obtain access to their own documents on their computer.  Among the companies hit hardest were FedEx, Nissan and the United Kingdom’s National Health Service.  The National Health Service had at least 16 of its organizations impacted by the attacks, according to a reportfrom CNN.

The initial attack, known as “WannaCry” was done mainly on Microsoft operating systems and experts urged organizations and companies to update older versions of the operating system to ensure they wouldn’t be vulnerable, the Chicago Sun-Times reported.

What Senior Living Can Do

Those in the health care industry—and more specifically, in senior housing—should be concerned, but know there are ways to avoid attacks, Velderman explained.

“There are so many ways hackers can get into secure systems,” he said.  “There’s phishing, theft, negligent users, zero-day attacks, or viruses, and brute-force attacks, which are ways a sophisticated hacker can figure out how to get though your firewall and into your network.”

When it comes to tackling specific ransomware attacks, ensuring proper backup of all files can help make this type of attack less detrimental, Peter Kress, chief information officer at Acts Retirement-Life Communities, told Senior Housing News.

Acts Retirement is a Pennsylvania-based non-profit continuing care retirement community (CCRC) owner and operator, with 22 resort-style CCRCs in eight states.

“For ransomware attacks, if you have all your data backed up, all you need to do is erase the computer that is affected and it can be fixed,” Kress said.  “While the efforts to recover certain systems can be time consuming, it is better than losing important data for good.”

In addition to making backups of all data, utilizing the cloud as another backup method is a trend Kress sees within the industry.  Though, when using cloud technology, providers need to be very diligent when it comes to making sure there aren’t any holes that hackers can get through.

Another way providers can avoid attacks is by educating staff on how to identify legitimate versus illegitimate emails, as many viruses come in the form of an email that may look very similar to one from someone within the company, said Velderman.

Acts Retirement does this by providing ongoing training to all employees.  The provider also holds “fire drills on phishing,” explained Kress.

“We did one of these drills earlier this year to raise awareness.  We essentially played the role of a phishing attack via email so employees knew from then on what to look for as red flags in their emails,” he said.

All of these strategies to protect against potential cyber attacks should be part of a multi-tiered plan, Velderman said.  Other aspects of the plan could include:

  • Solid policies and procedures about what users (employees) can and cannot do on devices
  • Requirements to change passwords every 90 days
  • Health Insurance Portability and Accountability Act (HIPAA) compliance training
  • Installation of heavy-duty firewall protection from a next-generation enterprise company
  • Scheduled internal and external audits annually

In this time of cloud technology and more in-depth software, it’s essential to have all of the right safeguards in place to prevent an attack, added Kress.

“Protecting data at any company is like a moving target because as technology gets more sophisticated hackers become more sophisticated,” he said.  “At the same time, though, solutions get more sophisticated.  You have to be able to keep up with it all.”