In recent years, the skilled nursing sector has faced an escalating threat from cybercriminals, posing significant risks to the operations of nursing homes.
Due to the rapid rise in use of technology since the COVID-19 pandemic, experts in the sector have noticed an uptick in cybercrime and insurance underwriters are demanding nursing homes protect themselves from these threats. So, although cybersecurity protocols can be costly, they have become necessary, especially given greater digital connectivity in nursing homes for electronic medical records (EMR), telehealth, virtual meetings, and family interactions.
From implementing multi-factor authentication programs to enacting training initiatives countering pervasive phishing attacks, nursing homes are now in the midst of stepping up their cybersecurity efforts.
And even though nursing homes are not currently bound by federal cybersecurity requirements, it is important to note that the Centers for Medicare & Medicaid Services (CMS) plans to introduce new cybersecurity requirements for hospitals. Also, the Department of Health and Human Services (HHS) will update the Health Insurance Portability and Accountability Act (HIPAA) in the spring.
Meanwhile, HHS recently issued strategies to bolster cybersecurity in health care. In response to the escalating threats, HHS aims to enhance health care organizations’ resilience by establishing voluntary industry-specific performance goals, collaborating with Congress for new authority and funding, and integrating cybersecurity goals into existing regulations and programs.
The move comes as health care organizations have experienced a surge in cyberattacks, posing risks to patient safety and privacy. The HHS’ Office for Civil Rights reported a 93% increase in large breaches from 2018 to 2022, with a staggering 278% rise in breaches involving ransomware. Ransomware attacks, where criminals demand payment for restored access to critical files, have led to nearly 14 days of downtime on average for health care organizations.
The surge in cyber threats amidst COVID-19
Nick Patel, CEO of ThriveWell Tech, highlighted a notable increase in cyber threats during the COVID-19 pandemic, attributing it to the industry’s rapid digitization.
Patel said that traditionally, nursing homes relied less on technology, often utilizing on-premise software due to budget constraints and the nature of their people-centric operations. However, the pandemic necessitated connectivity for telehealth, virtual meetings, and family interactions to happen digitally.
“If you think about each senior living campus as a light and you’re trying to look at the map of the U.S., the whole country was fairly dark,” Patel said. “Now suddenly, in COVID, all these lights went off, where cybercriminals can look at and say that’s a new industry that we didn’t even know existed.”
Evolution of cybersecurity measures
Patel said that as cyber threats increased, insurance companies took notice and began mandating cybersecurity protocols for nursing homes. By 2023, there was widespread adoption of basic cybersecurity tools enforced by insurance companies to mitigate risks. One prominent measure implemented was multi-factor authentication (MFA), a crucial step in enhancing security.
However, Patel noted challenges in implementing MFA due to the additional cost associated with third-party software, especially for EMR systems lacking native MFA features.
Yet implementing these programs is still a must for operators, Patel said.
“We’ve seen some of these cases where the cyber criminal knows the right value to ask for,” he said. “They’re pretty savvy and knowing this is what this customer can afford. So they price it such that it’s just enough for the institution to consider it. Because the cost of saying no is going to be more because they’re now frozen, they can’t operate.”
Patel said there are also “ethical hackers” who honor their word once paid.
“They release you and they don’t come back,” he said. “And insurance companies have kept track and they’ve been able to prove out that we’ve seen the telltale signs that we know who this attacker is, and we don’t see them coming back to haunt you if you pay them.”
Countermeasures implemented by nursing homes
In response to the escalating threats, nursing homes adopted various countermeasures to strengthen their cybersecurity posture. Patel highlighted the prevalence of phishing attacks as the primary threat vector and discussed the adoption of phishing training programs within the industry. These programs simulate phishing attacks for training purposes, helping staff recognize and avoid potential threats.
Additionally, email filters were implemented to provide an extra layer of protection. Patel discussed the three main functions of advanced email filtering technologies, including the quarantine of suspicious emails, blocking emails from known bad actors, and preventing malicious payloads from causing harm.
Steve LaForte, chief legal officer and EVP of Corporate Affairs for Cascadia Healthcare based in Idaho, said that phishing attacks are so common that he is often overly cautious with emails.
“I probably get two or three phishing attempts every day and I’m more often wary than not,” he said. “Sometimes, they get things that are actually real, and I send it off to the phishing bin.”
Ongoing awareness and training
As cyber threats continue to evolve, Patel emphasized the importance of ongoing awareness and training within the nursing home sector. Phishing requires continuous education to ensure staff remains vigilant, and Patel acknowledged the positive impact these programs have had in reducing the likelihood of falling victim to phishing attempts.
“More awareness will never hurt and more training is always a great thing to continuously provide,” he said. “It is the largest threat vector and is very easy for criminals to continuously try and attack at a very low cost [to the hackers]. So, it doesn’t seem like it’s going to slow down or stop.”
He said that cybersecurity is going to be a big topic for the upcoming presidential election as well.
“You’re gonna hear a lot about this in the election,” he said. “It is one of the largest threats – like how we traditionally look at our Department of Defense as our best security. I think going forward, our cyber has to become a pretty big spend for the government to protect the country. [The federal government] is going to slowly start mandating that institutions put [protection measures] in place because if a hospital system is serving 5 million people, the 5 million people are at risk if the institution is attacked.”