Cybersecurity Alert: Is Your Resident Data Safe?

Category

Compliance

As of November 2023, more than 100 million U.S. healthcare records have been breached this year, according to data reported in HIPAA Journal.  Yes, that’s 100 million – and CCRCs, like any healthcare organization, are highly desirable targets for cybersecurity criminals (also often referred to as “cybersecurity threat actors”).

That’s why compliance planning must include measures to prevent cybersecurity attacks. Here we discuss tips, best practices, and regulatory requirements that help guard your community from experiencing a data breach.

Why do Cybercriminals Target Long-Term Care Organizations?

In short, resident and patient information is valuable, making any healthcare organization an attractive target for cybersecurity threat actors. Medical records contain personal identifiable information (PII) and protected health information (PHI). Threat actors use both PII and PHI to commit identity theft and other forms of fraud (e.g., using resident data to obtain a loan or to obtain prescription drugs to sell for profit), or to sell on the black market.

In the long-term care industry, where a high number of deaths occur, hackers know they can prey on the information of recently deceased individuals for these fraudulent purposes.

The Consequences of a Cybersecurity Breach

A cybersecurity breach damages a CCRC’s reputation and can sow doubt in the minds of residents and family members. (After all, if resident data is vulnerable, are there other safety and security issues to worry about?)

For the residents who become victims of a data breach, there may be financial ramifications and the emotional distress of having personal information violated.

Financial Impact

Data breaches also are expensive. The average cost of downtime resulting from cybersecurity attacks is $427 per minute, with each breached medical record costing an average of $137, according to data from the law firm Butzel Long.*

Here are some examples of settlements shared by Butzel Long* that healthcare organizations have experienced as a result of data breaches:

  • $1.3M penalty and CAP for failure to perform a Risk Analysis and implement security measures
  • $240,000 CMP and CAP for snooping employees/failure to implement reasonable and appropriate P&P to comply with the Security Rule
  • $1.25M penalty and CAP for failure to conduct a risk analysis
  • $5.1M penalty for failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls
  • $6.85M penalty for failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls

Critical Actions for Ensuring Data Security

Detecting cybersecurity threats requires a fair bit of technical competence. For that reason, it’s important to partner with an external resource to conduct cybersecurity risk assessments at least annually.

Conduct an Annual Security Risk Assessment*

This should include an assessment of both internal and external cybersecurity risks:

  • Internal vulnerability assessment: Cybersecurity threat actors are adept at identifying vulnerabilities in servers, internally used computers, and software that will allow them to access to data and infiltrate the network.

    An internal vulnerability assessment is designed to help organizations detect and address these vulnerabilities. Vendors use scanning technologies and a vulnerability database to generate customized reporting to help IT teams prioritize and remediate any vulnerabilities detected.
     
  • External vulnerability assessment: This will detect areas of vulnerability in externally facing devices (i.e., those that are open to the internet). Like an internal vulnerability assessment, you’ll receive a report detailing avenues that could potentially be compromised by a threat actor and best practices for resolving them.

Other Types of Cybersecurity Vulnerability Assessments*

Office 365: Several default settings are vulnerable to email phishing campaigns by threat actors.

Firewall/VPN assessment: A compromised firewall/VPN (e.g., with misconfigurations to network, access and security settings) can leave your organization vulnerable to threat actors.

*Source: Butzel and Long, Network Vulnerabilities: Tips for Understanding and Assessing Vulnerabilities That Threat Actors Use to Compromise Your Electronic Data. Presented at:

HCCA Healthcare Privacy Compliance Institute, October 30, 2023.

Additional Cybersecurity Best Practices

Work with your community’s IT department to ensure they follow these recommended best practices:

  • Use verified cybersecurity software.
  • Update software regularly.
  • Conduct regular vulnerability scans.
  • Back up data regularly.
  • Implement network segmentation (this involves dividing a computer network up into smaller parts to improve performance and security).
  • Strengthen system access controls with multifactor identification.Create and maintain an accurate inventory of all devices connected to organization networks.

Conduct a Ransomware Tabletop Exercise

Healthcare organizations also are vulnerable to ransomware attacks, where malware essentially prevents the organization from accessing its own network unless they pay the cybercriminals a specified amount.

CCRCs should conduct a ransomware tabletop drill as part of disaster planning. We at FSA recommend this step, as does OCR and the Department of Justice.

A ransomware tabletop drill should involve a scenario based on potential vulnerabilities (e.g., the systems that would be affected and the impact on operations). It might cover the following elements:

  • Roles and responsibilities of all involved parties
  • Communication protocols both internally and externally (e.g., with law enforcement or the media)
  • Legal and regulatory considerations
  • Technical aspects of response, such as how malware would be removed and data backups restored

Conduct Regular Security Training and Phishing Testing

In addition to hacking, human error or unintentional actions by employees account for a large percentage of healthcare data security breaches. Mishandling data or devices, accidentally accessing protected information, or opening a suspicious email are two examples.

Training to increase awareness among staff is critical – and it’s required under HIPAA (45 CFR § 164.308(a)(5), which specifies training on:

  • Security reminders
  • Protection from malicious software
  • Log-in monitoring
  • Password management

Phishing Testing and Training

Phishing attacks involve cybersecurity criminals using misleading emails, texts, or website links to lure people into parting with sensitive information (e.g., usernames/passwords) to gain access to a secure network. Educating employees to recognize signs of a phishing scam is a critical safeguard for CCRCs.

CCRCs should explore the use of automated and managed programs that administer monthly email phishing tests to randomly selected employees. The program documents when employees click on a phishing test email, and those employees can undergo additional training.

HIPAA and HITECH Requirements

In addition to HIPAA’s cybersecurity staff training requirements outlined above, additional requirements for ensuring security of PHI and PPI include:

Security Risk Analysis & Risk Management - 45 CFR § 164.308(a)(ii)

  • Risk Analysis: Covered entities /Business Associate must identify and document risks, vulnerabilities and threats to EPHI.
  • Risk Management: Covered entities must implement security measures to reduce risks.
  • Security Risk Assessment Tool

HITECH Recognized Security Practices

  • Implementing these practices is voluntary but might mitigate CMPs and other regulatory action after a data breach.

Additional Cybersecurity Resources

Check out these resources for additional guidance on cybersecurity:

Friends Services Alliance (FSA) is a national professional association of values-aligned organizations that serve seniors. Our support services include a team of Compliance experts who have supported organizations in developing and maintaining effective Compliance and Ethics Programs for more than 20 years.