‘If You Are a Target, They Will Hack You’: Cyber-Hygiene Increasingly Important for In-Home Care Agencies

As technology becomes a bigger part of the home-based care universe, more agencies are starting to take cybersecurity seriously.

If they don’t, agencies are at risk of losing highly sensitive patient information and leaving their operations vulnerable. If that ends up happening, they could then end up on the hook for thousands of dollars or more.

The health care industry is the top target for data breaches, according to Wipro’s State of Cybersecurity Report 2018. In 2017, over 40% of reported breaches were from the health care world.


“We need to think about some of those things, especially when it comes to ransomware, [which is] on the rise,” Barbara Citarella, the president of RBC Limited, said recently at the National Association for Home Care & Hospice (NAHC) 2020 virtual Financial Management Conference. “And it is particularly dangerous to us home care and hospice providers.”

RBC Limited assists agencies with strategic planning for leadership, health care reform and business continuity.

Ransomware is a type of cyber attack where the perpetrator withholds stolen data or threatens to publish it until a ransom is paid. There are many examples of this happening to health care providers over the last few years.


In July 2018, for example, as many as 80,000 patients in Canada may have had detailed medical, financial and personal records stolen by a hacker group after it infiltrated the computer systems of home care services provider CarePartners.

Cyber attacks can play out a few different ways. Often, an individual within an agency hits a wrong advertisement or email, which enables a criminal to get into locked information.

Next, the perpetrator locks down the information systems so that no one within the agency or health system can access it. They then demand payment, usually through cyber money such as Bitcoin, Citarella said.

“In the last year, a significant number of health care providers have been hit with ransomware events,” Citarella said. “One particular facility decided not to pay a ransom. And it ended up costing them $10 million. It was a large health care system, and they had to start from scratch. They were working for months with paper documentation.”

Other providers have paid out ransoms as large as $1.5 million after negotiating down from around $5 million in demands. In that case, cyber attackers unlocked the information.

But only two-thirds of criminals typically re-grant access to the data they’ve withheld once a ransom is paid, according to Citarella.

The ultimate question for agencies to consider is how much they are willing to pay if they’re struck by a ransomware attack.

In some cases, perpetrators even contact patients to get money from them as well.

New technological advancements and different usages of computers with remote work during COVID-19 makes providers particularly vulnerable to these sorts of issues. Some are willing to pay a lot to settle the problem once it has happened — and others are completely unwilling to pay.

“We know these types of attacks are happening,” Citarella said. “In the world we’re in right now, we are bringing in other systems [that we didn’t used to work on]. We do third-party billers. We’re doing Zoom meetings. We’re using a lot of different platforms that we don’t normally utilize on our computers.”

Password management

If hackers want to hack you, they most likely will be able to. Their motivation to hack you is usually greater than yours is to protect yourself, at least until something bad happens, John Prost, the director of information technology at Mueller Prost, said at the Financial Management Conference.

“If you are a target, unfortunately, they will hack you,” Prost said. “What you need to do is take the measures to protect yourself and put as many hurdles in front of them as you can. Hopefully, they will get tired of trying to hack you and move on to somebody else.”

Prost is a security and cybersecurity expert.

Agencies’ No. 1 priority should be securing passwords, both at an individual and group level.

Weak passwords and re-used passwords are one of the simplest ways to get hacked. Likewise, strong passwords are one of the best ways to give yourself a fighting chance against hackers. Despite strong-password awareness seemingly being high, reports show that it’s still one of the biggest threats in cybersecurity, Prost said.

Getting a password manager that can store encrypted passwords online is a good starting point. Next is two-factor authentication.

Overall, agencies need to educate themselves and their employees and beware of the threats.

“Agencies need to have a certain hygiene — you wash your hands and you disinfect [your equipment]. The same thing holds true with the cyber world,” Prost said. “You have to have good cyber-hygiene. Use two-factor authentication, be careful where you go on the internet. … Be aware, take precautions and be careful.”

Companies featured in this article: