You Can Fight Back Against Cybercriminals

CAST | January 30, 2018 | by Geralyn Magan

Aging services organizations are embroiled in a fierce battle to keep their digital systems safe from cybercriminals. In the second part of our series on cybersecurity, chief information officers at 3 organizations offer tips to help you win that battle. Be sure to check out “Don’t Assume You’re Immune to a Cyberattack,” the first article in this cybersecurity series.

If you’re looking for a stress-free job, don’t become the chief information officer (CIO) of an aging services organization.

Sure, the job offers a large measure of creative satisfaction for those who like building digital systems that help long-term and post-acute care (LTPAC) organizations operate more efficiently as they strive to fulfill their missions.

But, in recent years, CIOs have also become embroiled in a fierce battle to keep those digital systems safe from cybercriminals intent on breaking in, stealing data, and selling that data to the highest bidder.

Helping them win that battle is the focus of new cybersecurity resources from the LeadingAge Center for Aging Services Technologies (CAST).

The Evolution of Cybercrime

“Years ago, we bought anti-virus software and everyone was happy,” says David Finkelstein, CIO at RiverSpring Health, a CAST Patron in New York City. “Back then, there really was no threat, no one was targeting you. Now, a single electronic health record is worth over $300 to a criminal. So, health care and long-term care have become targets.”

The evolution of cybercrime has spurred a growing vigilance among LTPAC organizations, which are becoming increasingly diligent about assessing the security of their technology systems, fixing vulnerabilities when they occur, and implementing policies and procedures designed to keep digital networks as secure as possible.

While no organization can make itself 100% secure, these steps can go a long way to helping the CIO sleep at night.

“If you have a major event, it could bankrupt the company, so that is a significant thing that keeps me up at night, to be honest,” says Bill Rabe, CIO of Covenant Retirement Communities, a CAST Patron based in Skokie, IL. “But even if it was a smaller, isolated event, the cost to our reputation would be huge. Residents and employees are looking to our organization to protect their information, so this type of exposure just reduces their trust in the organization. We don’t want residents or employees to have questions about whether we are doing the right things.”

Fortunately, there’s a growing recognition among LTPAC providers that an organization’s Information Technology (IT) department doesn’t carry the sole responsibility for “doing the right things” when it comes to cybersecurity. That responsibility rests with the entire organization, including the board of directors and executive team, the CIO and IT department, human resources (HR) personnel, and every single team member who touches a computer or handles data on a device during the work day.

Assessing Risk

At the start of any cybersecurity initiative, the board of directors and executive team must confer with the CIO and IT team to estimate the organization’s risk for a cyberattack, determine what the organization can afford to spend on security measures, and decide how much risk the organization is willing to take.

Some cybersecurity threats may simply be too low to justify a hefty investment in security to protect against them, while the risk of other threats may be so high that the organization can’t afford not to allocate dollars to fix vulnerabilities.

No organization can make any of these decisions without real-time information about their current security level, warns Joe Kulnis, senior director of technology & compliance at The Asbury Group Integrated Technologies, a wholly owned subsidiary of Asbury Communities, a CAST Patron based in Frederick, MD.

The first step in that process—and one required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)—is to conduct a formal assessment that will tell you if vulnerabilities exist and how serious they are.

“If you don’t know what your baseline is, there is no way for you to plan,” says Kulnis. “The assessment is a snapshot in time that says, ‘This is where you’re at and this is your potential of being violated based on the present threat environment and your environment.’ Only then can you decide where you will put your resources.”

Step 2 in the process involves developing a prioritized plan to address as many vulnerabilities as you can. One component of RiverSpring Health’s plan, implemented over the past several years, has involved using multi-layered systems to reduce vulnerabilities.

“The real key is defensive depth,” says Finkelstein, who is a CAST Commissioner. “We don’t rely on just one system. We rely on a combination of different systems that track and send alerts for different threats. We also test often with outside people to validate that what we are doing is correct.”

Policies and Procedures

Every cyber action plan must be accompanied by policies and procedures that outline what the organization is doing to protect itself, and how security protocols will be implemented and by whom.

“You need to make sure that everyone in the organization knows what you are doing and why you are doing it,” says Kulnis. “Everything needs to be charted. Everything needs to be approved. You need that executive-level buy-in. Then, every department’s strategic plan can build off those policies.”

Policies should outline the overarching governance involved in keeping the organization safe, says Kulnis. For example, a policy might require that the organization backs up its digital systems on a regular basis. A related procedure might set a schedule for implementing and testing those backups so you can recover quickly from a ransomware attack, suggests Rabe, who is a CAST Commissioner.

“We also have policies in place to make sure that we are patching our software and doing updates for our intrusion prevention systems (IPS) like our virus protection,” he says. “You could spend a billion dollars on technology, but it is not going to do anything for you if you don’t have that all in place. So I spend a lot of time looking at and updating all of our policies and all our procedures.”

Writing and updating policies is only half the battle, warns Rabe. All team members, at every level of the organization, must be aware of the policies and committed to implementing them. This is particularly true of HR policies governing employee access to digital systems, and employee education about safe computing practices. These policies will be addressed in Part 3 of this series.

Incident Response Policy

The policy outlining how you will respond when a cyberattack occurs is probably the most painful—and the most important—one you will write. That policy certainly came in handy for Kulnis in 2017 when Asbury Communities found itself dealing with a successful phishing attack that compromised employee financial records.

“The operations team was brought in and immediately made aware of the incident,” says Kulnis. “There was maybe a 24- to 34-minute delay from the time I found out about the incident to the time everyone was mobilized.”

The quicker you can respond, the less damage a cyberattack is likely to do, says Rabe.

“If you can get to it fast, if you have a good response plan, hopefully you can at least mitigate the incident somewhat,” says Rabe. “But if it takes a lot of time, the incident could just get worse as more systems are impacted.”

Covenant’s plan identifies different response strategies for different types of devices, including lost laptops. There’s also a policy for how the organization’s Help Desk will determine how serious a reported cyber event is and who needs to know about it.

No matter what your approach, warns Kulnis, make sure you test out your response plan before a problem occurs. After Asbury’s 2017 incident, Kulnis was glad he had followed his own advice.

“The way it was addressed was through rehearsal and practice, learning what didn’t work when we practiced it, and then going back to inside or outside experts to hone the plan so we could respond as quickly as we did,” he says.

Kulnis’ team didn’t stop there. After its initial response to the incident, team members evaluated their performance and identified what they could have done better or differently.

Sleeping At Night

Rabe, Finkelstein and Kulnis all report that their organizations have purchased insurance to cover the costs of recovering from a cyberattack. That cyber insurance, as well as the steps the organizations have taken to increase security, have helped all 3 sleep better at night.

Still, each CIO has a healthy measure of paranoia about the next cyber threat that could be hiding around the corner.

“Sometimes being scared a little bit is a way to open your eyes and get beyond the ‘It’s not going to be me’ type of thinking,” says Rabe. “There is some good to that. But you don’t want to over-scare people to the point where they can’t do their day-to-day jobs either. You need a balance.”

Take A Deeper Dive

For more in-depth information about cybersecurity:

In addition, be sure to check out “Don’t Assume You’re Immune to a Cyberattack,” the first article in this cybersecurity series. A forthcoming article will provide tips for ensuring that employees have the training and education they need to keep your digital systems safe.