For General Inquiries, call: 614.889.6555 | Get your "Cybersecurity TIP of the Week"

Young woman in striped shirt working on laptop at desk in a bright modern office with plants and books.

Accreditation Insights: CARF’s Focus on LTC Security

July 16, 2025

CARF accreditation signals that your LTC facility is committed to quality and accountability. And as of this year, that includes cybersecurity.

CARF's 2025 LTC standards now emphasize the protection of resident data as part of their risk management and technology sections. This means facilities seeking accreditation—or maintaining it—need to show: - Documentation of cybersecurity policies and procedures - A completed Security Risk Assessment - Ongoing staff training on cyber hygiene - An incident response plan with testing history.

But it's not just about the paperwork. Surveyors now ask specific questions about how your systems are monitored, what kind of staff education is being provided, and whether your leadership can clearly explain the WISP (Written Information Security Program). Facilities without a WISP or any documentation of testing are being flagged—even if no breach has occurred.

For one Ohio facility seeking CARF renewal, the cybersecurity section was a wake-up call. Their leadership team had strong clinical protocols, but little documentation on IT security. Working with a managed services provider, they built a WISP, trained all department heads, and completed a tabletop drill before their survey. Their preparation earned them a commendation—and helped secure cyber liability insurance renewal.

"Excellence is not a single act, but a habit." - Aristotle

By contrast, another organization delayed preparation and was marked deficient in tech risk documentation. They passed—but barely—and were told to implement immediate corrective actions to stay in good standing. Leadership described the experience as "scrambling through unknowns."

"You don't get what you hope for. You get what you prepare for." - Atul Gawande

CARF is sending a clear message: security matters as much as safety. Not just for HIPAA—but for reputation, risk management, and family trust. And with many families asking more questions about data privacy during care planning meetings, being ready isn't just smart—it's strategic.

If CARF walked in next week, could you demonstrate how your systems protect your residents?

Learn more about Affiliated's healthcare-specific IT Support and Services in Columbus and the Central Ohio areas by clicking here.

Fill Out The Form Below To Request a Free Consultation

 

Recent Articles

Orange business continuity toolkit with icons for backup, strategy, recovery, remote access, and failover systems.

Business Interrupted: The Unexpected Disaster Your IT Provider Should Be Planning For

 Autonomous container transport vehicles moving cargo containers at a shipping terminal emphasizing the importance of cyber security in supply chain logistics.

Logistics, Compliance & Cyber Risks: What Supply Chain Leaders Need to Know

 Modern automated industrial machinery line in a clean, spacious manufacturing facility with overhead piping and lighting.

The Real Cost of Downtime in Regulated Tech Manufacturing