Cybersecurity: What care home operators need to know

With increasing digitisation of healthcare records, communications and decision-making, care home operators face an array of cybersecurity threats. These threats, both internal and external, have potential to jeopardise resident safety, imperil data integrity, create reputational damage and interrupt operations to the detriment of residents, staff and shareholders.

Steps can, and should, be taken to understand and plan for each risk, maximising your ability to respond. The risks attaching to cyber incidents are significant and can ultimately result in business failure.

Understanding cyber threats

External threats are well known. In ransomware attacks, malicious software infiltrates systems, encrypts data, and the third party controlling that malware demands a ransom for the data’s release.  In June 2024, Synnovis, a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust, King’s College Hospitals NHS Trust and SYNLAB, was a victim of a ransomware cyberattack, resulting in a major IT incident and a significant reduction in capacity to process samples. This was believed to be the biggest ever cyber-attack on the NHS.

Phishing attacks, a leading cause of personal data breaches in the healthcare sector,  use deceptive emails or messages to entice users into revealing sensitive information.  Phishing emails have developed in sophistication and can be indiscernible from a legitimate email to the causal viewer.  In 2021, the Irish Health Service Executive was infected by malware originating from an innocuous Excel attachment to a phishing email, which ultimately shut down 80% of the organisation’s IT systems, causing a cascade of cancellations, equipment failures and treatment delays.  Full recovery of the systems took over six months.

Coordinated Denial of Service (DDoS) attacks such as that affecting several public healthcare institutions in Singapore in 2023 are relatively easy for the disaffected to arrange.  Flooding servers with requests can readily overwhelm networks to disrupt services and compromise patient care.

Cyber threats are not always from an external source.  Your staff are generally your biggest asset as a care home operator, but in certain instances they may be a serious risk.  With access to an organisation’s hardware, a disaffected employee may have ample opportunity to damage the vital operational systems upon which the business relies.  USB connections, ineffective access controls and poor security practices are all possible gateways for the motivated individual to attack.

Balancing security and care continuity

Cyber resilience demands significant planning and investment. Care home operators must allocate monetary and operational resources for appropriate and robust security, including access controls, firewalls, and intrusion detection systems.  Software and hardware must be continually updated, and appropriate specialist staffing or third-party support must be retained.  Balancing resource allocation between operational necessities and cybersecurity is a key concern.

Security measures are crucial but do need to be tailored to the operator and circumstances. They must be designed with an understanding of the care home’s staff and their needs in mind.  Every layer of access control has the potential to impact on the care that staff can provide.

When security measures disrupt workflows (e.g. where there are frequent password prompts), it can hinder ability to provide timely care.  Ill-planned or overly complex changes to security measures may lead to spikes in support requests, which must be addressed promptly. Frustrations with systems result in higher staff turnover and thereby hinder the ability of care homes to provide their services and prevent user dissatisfaction.

Risk -based prioritisation

Risk assessment plays a pivotal role in making appropriate security decisions, allowing care providers to proactively manage potential threats.  Armed with a risk assessment that covers the financial, legal, reputational, operational and clinical risks that may result from different types of cybersecurity breach, care home operators can triage issues based on their severity and potential impact.  By understanding and prioritising threats across various domains, you will enhance your resilience while maintaining effective service delivery and limiting your regulatory exposure.

Essential cybersecurity interventions

Interventions appropriate for each care home operator will vary but are both technologically and organisationally focussed.

Seven technological interventions

1. Implement multi-factor authentication to ensure only authorised personnel access sensitive systems.
2. Segregate datasets so staff can only access data relevant to their role.
3. Establish an outward-facing security perimeter, including encryption and firewalls to filter incoming and outgoing traffic.
4. To counter internal threats adopt an intruder detection system to monitor network activity for suspicious behaviour and alert staff to potential threats.
5. Regularly update operating systems, applications, and software patches to address security vulnerabilities.
6. Use reliable antivirus software to detect and prevent malware infections.
7. Regularly back up critical data to ensure it can be restored in case of data loss due to cyber incidents or hardware failures.

Five organisational interventions

1. Pre-plan steps to take during a security breach in a hard copy incident response plan to ensure a coordinated and effective response.
2. Test the incident response plan at regular intervals to identify gaps and refine procedures.
3. Evaluate the cybersecurity practices of suppliers or partners who may have access to systems or data, with ongoing checks made periodically throughout the relationship.
4. Train staff to use the systems provided to them and guide them to identify and report phishing emails and other suspicious activity.
5. Invest in cyber insurance to protect your care home from the financial fallout of cyber-attacks.

By fostering awareness and implementing effective cybersecurity measures, care homes can protect their data, their reputations and the quality of the services they provide to their residents and families.

Contact us

Do get in touch with Claire Williams if you require support with getting your care home cyber ready and or if a breach occurs. Our cyber response team can help assess and assist with any UK GDPR regulatory notifications to the Information Commissioner’s Office and to affected individuals. We can also help with taking legal action and defending against claims.