For home-based care providers, cyber attacks are less likely to be an “if,” and more likely to be a “when.”
And, as cyber attackers get more creative and persistent, it’s important for providers to understand the implications of attacks.
“Over the last 18 months, we’re seeing massive impacts to patient care,” Fortified Health Security CEO Dan L. Dodson told Home Health Care News. “In the health system space, we’re seeing organizations go down for weeks and months, literally diverting care. It’s one thing for a patient record to be exposed, and nobody wants that. But it’s an entirely different set of circumstances when you can’t deliver care.”
Fortified Health is a Tennessee-based cybersecurity firm.
In order to be as prepared as possible, provider leaders need to know what to look for and what their staff needs to look for. They also need to be equipped with the proper resources when an attack does come to fruition.
Over the past decade, cyber security experts have seen a gradual uptick in cases where attackers are pursuing private information.
“It hasn’t been just this year, although we have seen a number of them already, but it’s gradually been increasing probably over the last 10 years, especially at the start of 2020,” Barbara Citarella, the president of RBC Limited, told HHCN. “The problem for most home-based care agencies is they don’t know what to do when a cyber event happens: what the protocol is, who they should be calling, how detailed it is — to make sure that you’re covering yourself in regard to HIPAA violations and things like that.”
RBC Limited assists agencies with strategic planning for leadership, health care reform and business continuity. Citarella also serves as a subject matter expert to the United States Assistant Secretary of Preparedness and Response.
Cyber attacks on health care organizations are perfect for attackers, Citarella said, because of the wide dearth of information held by health care organizations.
Home-based care providers’ systems are generally vulnerable to attacks, Citarella said. Thus, they should be doing regular risk assessments and should be backing up their own data on a separate server.
“We had a big home care event that took place in 2019, and the agencies that backed up their own data were up and running very quickly, and the agencies that used a third-party biller couldn’t access their information for a long time,” Citarella said. “Agencies have to back up their own information on a separate system, and they should be testing that separate system to see how quickly they can get up and running.”
Consolidation of home health and home care agencies have added to the urgency for protection to be put in place, Citarella said. The attackers are also evolving as the industry grows.
“They’re much more sophisticated,” she said. “They’re coming from a number of countries and interestingly enough, drug cartels are now doing it. It’s a lot easier to take information and steal somebody’s identity if you don’t have to have a force out on the ground. You just need a bunch of people in an office.”
Jason Vander Velde, a senior manager on the IT management team at Wipfli, also has seen an uptick in sophisticated attacks.
A decade ago, phishing emails from Russia were easy to spot to the untrained eye, he said. That is no longer the case.
“Because social media and the amount of information available on Facebook, LinkedIn and on company websites, there is so much information out there. So these phishing emails are getting crafted extremely well and it’s starting to get almost impossible to decipher whether it’s legit or not,” Vander Velde said. “There are certain security controls – like multi-factor authentication, perimeter vulnerability assessments and internal vulnerability assessments – that agencies need to be doing to make sure their information and recovery systems are in place.”
The cold truth is that even as agencies contemplate these realities, plenty of them are under attack right now.
“Many of the organizations are probably already under attack as we speak,” Dodson said. “The question becomes: How is your organization positioned to recover from that?”
Dodson says that financial implications could hurt agencies of any size. The sticking point, however, should be the delivery of care and the potential interruptions of that.
“That gets people’s attention,” he said. “As you build your strategy as a home health care provider, you need to be mindful of a situation if your core operating platform, your EHR platform were to go down? What would be the clinical impact? Could you continue to deploy your mobile resources into people’s homes in an effective way without system X, Y, Z?”
The result of poor outcomes – especially in today’s value-based world – should put cyber attacks more on providers’ radar, experts believe.
“When this happens, the patients suffer,” Dodson said. “That’s what I think gets these conversations moved up into the C-suites. These attacks impact patients, No. 1, and revenue, No. 2. If you’re not prepared for these attacks, they can be pretty devastating in both areas.”