Addressing Common Technology Security Issues in Senior Care Settings

Peter Robert, co-founder and CEO, Expert Computer Solutions

Today’s senior care facilities rely heavily on technology. From EMR databases to desktop computers to medical equipment, technology is essential to a facility’s functionality and safety.

But when you’re working with technology, security vulnerabilities are always a concern. Identifying and solving these vulnerabilities early on can help a facility protect resident privacy and safety and ensure continuous operations.

Common Technology Security Risks in Senior Care Settings

Senior care facilities may be particularly vulnerable to security risks for multiple reasons. Peter Robert, co-founder and CEO at Expert Computer Solutions, explains that many facilities don’t have the funds or otherwise don’t invest enough money into cybersecurity. Some facilities lack the budget to monitor and update their systems.

“The most common technologies found for nursing homes that are open to compromise include old Windows 7 computer sand 2008 servers,” explains Robert. “These devices no longer receive updates from Microsoft and are vulnerable to attacks.”

Robert notes that sometimes facilities continue to use these devices because of lack of funds to update them. In other cases, patients and residents are most comfortable with the devices, so they are left in use. If facilities change those devices out, they will need to be prepared with a budget for new equipment and the time to train residents in how to use them.

EMR systems can also be a source of security vulnerabilities. EMR systems are available as both on-premises systems that run on the client’s servers, and as cloud EMR systems that are accessible via a website. Each type has different vulnerabilities.

“For on-prem EMR solutions, the major vulnerability is the servers and computers that run the system,” explains Robert. “Many of these systems are on Windows operating systems. This requires constant upkeep to make sure the solution is up to date, security patches are applied, and patient data is backed up. Each facility is responsible for these updates. Without maintenance, the system is open toa a cyberattack. Additional software like antivirus and intrusion detection is required to make sure the systems are secured.”

The EMP provider is responsible for any updates and security of a cloud EMR system, but the most significant risk is still the user. “Many EMR today still do not support multi-factor authentication,” says Robert. “Because the EMR is publicly accessible, if a password for an employee is compromised, a hacker can access the system and all of the patient information.”

How to Identify and Address Security Weaknesses

Robert recommends that facilities run an IT audit to identify security weaknesses. Expert Computer Solutions offers a free self-assessment that can be scheduled online, as well as a full audit that is a paid service. The National Institute of Standards and Technology also offers resources about best practices when it comes to vulnerabilities.

Facilities need to take additional steps to address other potential security risks. Staff training and education plays an important role in cybersecurity. Through this training, staff will learn about best practices to protect company data and how to identify phishing attacks. Knowbe4 specializes in security training and offers simulated phishing tests.

Facilities can also invest in security services that monitor and alert staff quickly in case of a security risk. Larger companies in this niche include Perch, SentinelOne, and Trend Micro XDR.

Robert notes that in addition to companies that offer these services, there is now a division called Managed Security Service Providers. “Companies within this division specialize in monitoring, alerting, and taking action on behalf of the company when an issue occurs.”

Best Practices When Hiring a Cybersecurity Partner

Hiring a cybersecurity partner can help a facility to better understand, identify, and act quickly in the event of a cybersecurity risk. However, it’s important that the facility choose the right partner for its security needs. Robert recommends that a facility consider whether a business specializes in security, or if it focuses on technology.

“Many Managed Service Providers (IT support companies) are now providing the security service, but not all of the providers have the right tools and the staff to do a good job,” he explains.

A facility should also consider whether the company is providing full service or just an alerting service. Robert notes that many companies that offer security solutions only provide alerting services. “This means that when a security issue occurs, the provider’s responsibility ends when they send you an email or call you on the phone. Depending on the business that needs support, they may not have the staff required to stop an attack at 2 AM,” says Robert.

A third important consideration is a managed security service provider’s insurance and accountability. “If there is an incident and the provider does not take action needed to safeguard your business, what is the company’s protection?” says Robert. “It is always a great idea to check what options are available in a worst-case scenario.”

Addressing cybersecurity and technology vulnerabilities early on is a valuable insurance policy against potential security breaches and larger problems down the line. If a facility has not been actively monitoring its security vulnerabilities, an IT audit and enrolling the help of a knowledgeable partner is a good place to start.


Topics: Facility management , Featured Articles , Risk Management , Technology & IT , Training