Cyber Crime: Is Your Senior Care Facility at Risk?

The rise of internet connectivity in all areas of life means your senior living facility could come under attack.

If you’re concerned that your senior living facility might become a target for hackers or a cyberattack, you’re not alone. Many businesses across the country have fallen prey to hackers and other cyber criminals, and senior living facilities are a particularly enticing target because of the trove of information housed in their computer networks.

2 Main Types of Cyber Attacks

Dean Chester, security evangelist and researcher at CoolTechZone

Dean Chester, security evangelist and researcher at CoolTechZone

“Cyber threats that affect long-term care centers generally fall into two categories,” says Dean Chester, a security evangelist and researcher at CoolTechZone. “The first is data breaches. They occur when criminals steal a person’s sensitive data, unbeknownst to them.”

The second common threat for senior living facilities is ransomware. “During a ransomware attack, a perpetrator infects the victim’s system with a virus that encrypts all information in it and demands a ransom to unblock it,” Chester says.

Data Breaches

Dan Hanson CPCU, Senior Vice President of Management Liability & Client Experience for Marsh & McLennan Agency’s Minneapolis operations, says that the more valuable — and vulnerable — info is related to the health histories of your residents.

“Social security numbers are ubiquitous and they’re not worth a whole lot on the dark web, maybe 10 cents apiece. Credit card numbers are worth a quarter. But a health record can fetch up to $1,000 on the dark web,” he says, because these documents can be used to commit Medicare and Medicaid fraud. It’s a lucrative business for enterprising cyber criminals, and it’s not actually all that difficult for them to find their way into your digital records and get the information they need to conduct their shady business.

Dan Hanson CPCU, Senior Vice President of Management Liability & Client Experience for Marsh & McLennan Agency

Dan Hanson CPCU, Senior Vice President of Management Liability & Client Experience for Marsh & McLennan Agency

“Physically they can enter the building,” Hanson says. Senior living facilities are and need to remain open to the public, and most anyone can saunter in. If staff are not paying attention, it’s not that difficult for a brazen hacker to access a computer terminal and download what he or she wants to steal.


Criminals can also access your network remotely with ransomware, a type of software that encrypts your company’s data and files and prevents people in the facility from being able to access important documents and files. This type of hack often happens with the unwitting assistance of a staffer or another person who clicks a link that installs the software and sets up the problem.

Ransomware attacks are “often used to target medical facilities because not having access to your patients’ health information is a very time-sensitive problem that has to be dealt with as soon as possible, making it easier for the victim to agree to pay up,” says Chester. These can be particularly devastating attacks, because “not being able to access a patient’s information is often a question of life and death,” he adds.

Two common types of ransomware attacks are phishing schemes and social engineering.

Phishing Schemes

Hanson says phishing schemes involve a hacker sending out a flurry of emails that contain PDFs or Word attachments that, when clicked, can install spyware that burrows through a network and gathers valuable information. “Criminals will figure out the nomenclature for how a particular facility sets up their email addresses and send emails to everyone in the building. If just one person clicks on the link, then they’re in the system,” he says.

Spear phishing is more targeted: A hacker sets up an email address that looks like it’s coming from a person known to the target. The target (who is often in a position of authority) believes he or she is corresponding with a known contact and clicks the link or sends out information — leading to a devastating breach of privacy for an individual or all residents in a facility. “Once the hacker has access to that information, they can monetize it,” Hanson says, and potentially wreak havoc on your organization.

Social Engineering

In a social engineering attack, “hackers try to coerce their victims into following fake links or downloading malware. They use emotions to make a person do it. It can be fear or greed or any other feeling: the stronger, the better for the hackers,” Chester says. Once they convince the person to let them in, they can do whatever they want in the system.

Chester says that more than 95% of data breaches happen “because of the human factor. Usually it’s because employees open emails or attached files from unsafe sources, thus granting the criminal access to the system.”

So how can you help prevent cyberattacks?

Read our new article to get 5 Steps to Preventing Cyberattacks.

The Future of Cybersecurity

Hanson notes that the threat of cyberattacks is only going to increase as the world grows ever more connected. This includes certain medical devices that require internet connections, Chester says.

“There are some amazing advancements in medicine that rely on the Internet of Things and online connectivity. For example, exoskeletons that help stroke patients to recover are being developed. However, these devices that require constant internet access are all the more prone to being attacked, the reason being their often-inadequate security. Many smart devices, including medical equipment, provide very limited options for their passwords. On some, it is not even possible to change the factory password, which is extremely unsafe.” That’s a problem that device and equipment manufacturers are going to have to address as the threat of cybercrime grows.

Train Your Employees — and Get Buy-In from the Top

Chester underscores that training employees is the biggest thing you can do to prevent and mitigate catastrophe related to cyber attacks. “Every person who has access to the corporate network — and today that can be almost everyone who works for you — must know about the dangers of phishing, ransomware and social engineering. Whether you hire professionals to do the raining or conduct it yourself, you need to make sure that your workforce knows at least the basics of cybersecurity.”

This is true at all levels of the organization, Hanson adds. “I think a lot of times people think this is an IT issue and they need to have the IT person’s address. This is actually an enterprise issue that starts with the CEO. You see CEOs getting fired and replaced because of how they handed cyber issues, and not everyone handles it responsibly,” Hanson adds.

Topics: Administration , Executive Leadership , Information Technology , Risk Management , Technology & IT