The wealth of data they hold and the special vulnerabilities of the populations they serve raises the stakes for long-term care facilities trying to ensure residents’ personal information is protected.
The need for stronger cybersecurity is not a new concept for long-term care providers, but legislation introduced last week from Sens. Mark Warner (D-VA) and Ron Wyden (D-OR), chair of the Senate Finance Committee, ups the ante considerably.
The Health Infrastructure Security and Accountability Act would require the US Department of Health and Human Services (HHS) to develop and enforce a set of minimum cybersecurity standards for healthcare providers, health plans, clearinghouses and their business associates. It also would remove the existing cap on fines under the Health Insurance Portability and Accountability Act.
Additional vulnerabilities of nursing home residents make them more attractive targets for cybercriminals, said Lance Reid, CEO of Telcion Communications Group, in an interview with McKnight’s Long-Term Care News Tuesday. That, combined with the vast amount of personal information facilities, management companies, and others in the sector creates a target-rich environment for bad actors.
“This makes it essential for long-term care organizations to adopt and enforce rigorous cybersecurity measures tailored to the unique needs of their residents,” Reid emphasized.
Leaders of skilled nursing facilities and other entities could face jail time for lying about cybersecurity precautions.
Threats of imprisonment
“The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy,” Wyden said in a press release announcing the legislation. “These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among healthcare companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system.”
In April 2023, HHS released a new, online platform called Knowledge on Demand that offers free training to raise awareness of cyber issues. The five topics the platform covers are social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss, and attacks against network connected medical devices, according to an agency statement. Providers can tap into new security training and other free resources designed to educate their workforce on avoiding activities that can open facilities to cyberattacks.
“Like all healthcare organizations, long-term care facilities face the continual threat of cyberattacks,” Reid said. “To protect their residents, long-term care facilities must invest in a layered approach to security, including the implementation of policies, procedures and advanced security layers. Multi-factor authentication is a must, along with strong internal security controls and comprehensive end-user awareness training to help staff recognize phishing attempts.”
Greater costs?
Bad actors who gain access to an individual’s personal data can simulate legitimate online activity, engage in fraud and take advantage of a senior’s increased susceptibility to cyberattacks, Reid added. Providers must also conduct regular, comprehensive audits that go beyond simple questionnaires, which often produce unreliable results due to misleading or uninformed answers, he said.
“Ultimately, if legislation were to mandate specific cybersecurity tools and enforce penalties for non-compliance, it would likely push long-term care facilities to reprioritize their spending – elevating security practices across the board, while ensuring that protecting resident data becomes a central focus,” Reid said.
In March, Change Healthcare, the nation’s largest healthcare billing clearinghouse, shut down for 10 days after a massive cyberattack that threatened major cash flow issues for post-acute providers and limited access to some patients’ medications. In August, Carespring Health Care Management was named in a class-action lawsuit over an October 2023 cyberattack in which hackers claim to have accessed a massive trove of data on nearly 80,000 people.
An August report from the cybersecurity firm Sophos found that two-thirds of respondents from the larger healthcare industry said they were hit by ransomware attacks in the past year — that’s up from just the one-third (34%) who said they were victims of attacks in 2020. Recovery from attacks is also taking longer, the firm said.
