​Post-acute care facilities play a unique and critical role in the health care ecosystem, providing comprehensive support and services to individuals requiring extended medical assistance beyond traditional hospital stays. Unlike acute care settings, post-acute care facilities cater to residents with diverse needs, offering a continuum of care ranging from skilled nursing and rehabilitative therapies to assisted living, memory care, and behavioral health services.

However, with this specialized focus comes distinct challenges in the realm of cybersecurity. Additionally, the recent staffing mandates announced by the Centers for Medicare & Medicaid Services (CMS) as of April 22, 2024, pose further hurdles, potentially straining resources and complicating cybersecurity efforts.

In an era where data breaches and cyber threats loom large, the importance of cybersecurity in post-acute care facilities cannot be overstated. Beyond the imperative to safeguard sensitive patient information, post-acute care providers must also address the growing complexity of regulatory compliance and the increasing interconnectedness of health care systems.

Recent breaches, such as those experienced by Change Healthcare, underscore the urgent need for robust cybersecurity measures in post-acute care settings. These incidents not only compromise patient data but also jeopardize the trust and reputation of health care organizations.

Health care data breaches have incurred the highest average cost among all industries, reaching $10.93 million, with a significant 53.3 percent increase over the past three years. Personal data, particularly customer and employee personally identifiable information, remains a prime target. Breaches often involve data stored across multiple environments, resulting in prolonged detection and containment times, averaging 291 days. Phishing has become the leading initial attack vector, surpassing compromised credentials and cloud misconfiguration.

The HICP Framework

Recognizing the criticality of cybersecurity in post-acute care, the Department of Health and Human Services (HHS) introduced the Health Industry Cybersecurity Practices (HICP) framework. Developed in collaboration with cybersecurity experts and health care stakeholders, the HICP framework offers comprehensive guidance and best practices tailored specifically to the health care sector. At its core, the HICP framework aims to enhance cybersecurity resilience and mitigate cyber risks across the health care continuum.

The HICP framework comprises 10 key practice areas, each addressing critical aspects of cybersecurity management and risk mitigation. These practice areas serve as a blueprint for post-acute care providers to assess and enhance their cybersecurity posture effectively. From email protection systems and endpoint security to vulnerability management and cybersecurity governance, the HICP framework provides a comprehensive roadmap for strengthening cybersecurity defenses in post-acute care settings.

1. Email Protection Systems: Implementing robust email security measures, including encryption protocols and phishing detection mechanisms, to mitigate the risk of email-based threats and data breaches.
2. Endpoint Protection Systems: Deploying advanced endpoint security solutions to safeguard devices and endpoints from malware, ransomware, and other malicious intrusions.
3. Access Management: Establishing stringent access controls and authentication mechanisms to regulate user access to sensitive health care data and systems, thereby reducing the risk of unauthorized access and insider threats.
4. Data Protection and Loss Prevention: Implementing data encryption, backup, and recovery strategies to protect sensitive patient information and mitigate the impact of data breaches or loss incidents.
5. Asset Management: Maintaining an accurate inventory of IT assets and medical devices to ensure visibility and control over the health care IT infrastructure, thereby reducing the risk of unauthorized access or device compromise.
6. Network Management: Implementing robust network security measures, including firewalls, intrusion detection systems, and network segmentation, to protect against external threats and internal network vulnerabilities.
7. Vulnerability Management: Conducting regular vulnerability assessments and patch management activities to identify and remediate security vulnerabilities in software applications, operating systems, and IT infrastructure components.
8. Security Operation Centers and Incident Response: Establishing dedicated security operation centers (SOCs) and incident response teams to monitor, detect, and respond to cybersecurity incidents promptly, thereby minimizing the impact of security breaches and ensuring timely remediation.
9. Network Connected Medical Devices: Implementing security controls and risk management protocols to secure network-connected medical devices and Internet of Medical Things (IoMT) devices, thereby safeguarding patient safety and preventing potential cyber threats.
10. Cybersecurity Oversight and Governance: Establishing robust cybersecurity governance frameworks and regulatory compliance programs to ensure accountability, transparency, and continuous improvement in cybersecurity practices and risk management strategies.

In conclusion, post-acute care facilities face unique challenges in implementing cybersecurity measures. Unlike acute care settings, they may lack the financial resources to handle large fines or defend against litigation from data breaches. Additionally, end users in these settings may lack technology sophistication, making them susceptible to phishing scams and other social engineering attacks.

Therefore, adherence to the HICP framework is crucial for post-acute care providers to safeguard patient data and ensure cybersecurity resilience. By adopting best practices and leveraging advanced security technologies, they can effectively mitigate cyber risks and uphold their commitment to patient safety and care quality. Prioritizing cybersecurity in these settings is essential for uninterrupted care delivery and maintaining patient trust. Partnering with cybersecurity experts can further strengthen defenses and ensure ongoing compliance with regulatory mandates, ultimately preserving patient safety and privacy.

To begin your cybersecurity journey:

1. Assess your organization's alignment with the HICP top 10 practices.
2. Initiate a discussion with trusted advisors to identify and address potential security gaps.

Here are some key statistics regarding cyber threats in long-term care facilities for the year 2023:

• An unwanted record was set in 2023 with 725 large security breaches in health care reported to the Department of Health and Human Services (HHS)
• An analysis by the cybersecurity firm Emsisoft revealed that 46 hospital systems suffered ransomware attacks in 2023, which is an increase from 25 in 2022 and 27 in 2021. These attacks directly affected at least 141 hospitals and caused significant disruptions.
• The health care sector experienced about 295 breaches in the first half of 2023 alone, impacting over 39 million individuals.
• It was reported that approximately 1 in 3 Americans were affected by health-related data breaches in 2023, indicating a surge in the number of attacks.

These statistics underscore the escalating threat landscape and the importance of implementing robust cybersecurity measures to protect sensitive patient information and health care infrastructure in post-acute care facilities.

Phil Wong is cybersecurity practice director at Redapt, Inc.  Kristen Berglas is client director at Redapt, Inc. She can be reached by email at kberglas@redapt.com, by phone at (425) 523-6080, or on LinkedIn.

References:

• AHCA and Change Health care's impact to PAC
• 2023 Cost of a Health care Data Beach
• 405 (d) HHS.gov HICP 2023