Cybersecurity threats against healthcare organizations are rising. The 2024 Ponemon Healthcare Cybersecurity Report, sponsored by proofpoint, revealed that 92% of healthcare organizations experienced a cyberattack in 2024, up from 88% in 2023. The average cost of the most expensive attack was more than $4.7 million. Strengthening senior living cybersecurity crucial for senior living providers, who manage vast amounts of sensitive patient information, making them prime targets for cyberattacks. According to McKnight, nursing homes are often targeted by cyberhackers who victimize third-party vendors or facilities to access residents’, patients’, and employees’ data to use it for identity theft and fraud.
Recently, the Office for Civil Rights in the U.S. Department of Health and Human Services issued a HIPAA Security Notice of Proposed Rulemaking to strengthen cybersecurity protections and better defend against cyber threats against the healthcare industry. The ruling will proceed after the 60-day comment period.
Some of the proposed changes to the HIPAA Security Rule include:
- Requiring encryption of electronic protected health information (ePHI) both at rest and in transit
- Using multifactor authentication
- Conducting regular vulnerability scans at least every six months and annual penetration testing
- Requiring written documentation of all Security Rule policies, procedures, plans, and analyses
- Creating a technology asset inventory and network map that illustrates the movement of electronic protected health information (ePHI) through the organization’s electronic information systems
- Conducting a compliance audit at least once every 12 months to ensure compliance with Security Rule requirements
- Requiring business associates to verify at least once every 12 months that they have installed technical safeguards required by the Security Rule to protect ePHI
Expert insights on senior living cybersecurity
Wes Vaux, Vice President of Information Security at Relias, emphasized the importance of a proactive approach to safeguarding sensitive data. “As cyber threats against healthcare organizations continue to escalate, senior living providers must take a proactive approach to safeguard sensitive resident, patient, and employee data,” he said. “At Relias, we advise organizations to go beyond compliance and build a resilient cybersecurity framework that aligns with industry best practices and regulatory expectations.”
Vaux noted that surveyors will likely focus on key areas such as encryption of ePHI, multifactor authentication, regular vulnerability assessments, and comprehensive security documentation. To stay ahead, he said, senior living providers should prioritize conducting biannual vulnerability scans, annual penetration testing, and maintaining an up-to-date asset inventory and network map to track the movement of ePHI. He added that clear and well-documented policies and procedures will be critical during audits, demonstrating an organization’s commitment to compliance and risk management. Regular staff training on phishing awareness and access controls is equally important, as human error remains a leading cause of breaches.
By embedding security into daily operations and staying informed on regulatory changes—such as the proposed updates to the HIPAA Security Rule—senior living providers can not only mitigate risks but also build trust with residents, families, and staff. “Cybersecurity is no longer optional; it is a fundamental component of delivering quality care in the digital world,” said Vaux.
Take a proactive approach to senior living cybersecurity
Here are a few steps to prepare for cybersecurity threats.
- Increase compliance efforts: Invest more time and resources to ensure compliance with the updated security measures. This includes conducting regular risk analyses, implementing stronger access controls, and developing comprehensive incident response plans to contain and lessen the damage.
- Enhance security measures: Adopt more advanced security measures to access residents’ sensitive data, such as firewalls and multifactor authentication. Monitor all network activities for suspicious behavior and give employees access only to the data systems they need for their roles.
- Conduct regular staff training: Train your staff in current security best practices, including recognizing phishing attempts and social engineering and following your facility protocols for data handling.
- Require greater accountability from vendors: Minimize risks associated with third-party vendors by assessing their security measures, ensuring compliance with relevant regulations, and regularly auditing their security practices. Require vendors to notify you immediately of any data breaches.
- Improve residents’ trust: Demonstrate your commitment to protecting residents’ data. This will help build trust with residents and their families, who will feel confident that their sensitive information is handled securely.
The landscape of cyber threats is evolving daily. Taking a proactive approach to senior living cybersecurity, increasing compliance efforts, and committing to ongoing staff training can help you face this challenge and keep your residents’ data confidential.
Enhance Your Compliance Management With Digital Transformation
Learning how digitizing your compliance program will set up your organization for future ease and success.
Download the e-book →




