May 27, 2025
When It Comes to Cybersecurity, "Good Enough" Isn't Enough Anymore
Most LTC administrators I talk to are doing their best—but with outdated tech, tight budgets, and a mountain of regulations, it's easy to fall behind.
"If you are not intentionally building resilience, you're accidentally building fragility."
—David Rendall
According to HHS, over 50 million healthcare records were breached in 2024—many in small to midsize facilities.
Let me share a couple of stories that highlight the importance of proactive cybersecurity measures:
A Cautionary Tale:
In October 2024, HCF Management, which oversees 31 long-term care facilities in Ohio and Pennsylvania, experienced a significant data breach. Hackers infiltrated their network, compromising the personal information of nearly 70,000 residents. The breach went undetected for weeks, and by the time it was discovered, sensitive data—including Social Security numbers and medical records—had been exposed. The aftermath included not only a loss of trust but also potential legal ramifications and financial penalties.
A Success Story:
Conversely, an Ohio-based LTC facility had recently invested in comprehensive cybersecurity training for its staff and implemented multi-factor authentication across all systems. When an attempted phishing attack occurred, a well-trained nurse recognized the suspicious email and reported it immediately. The IT team acted swiftly, preventing any data compromise. This proactive approach not only safeguarded resident information but also reinforced a culture of security awareness within the facility.
Could your facility survive a HIPAA audit if it happened tomorrow?
What's Changing in the HIPAA Security Rule (and Why You Should Care)
The proposed 2025 HIPAA update focuses heavily on preventing breaches, not just reacting to them. For LTC providers, that means new expectations around:
- Encryption: Ensuring that data is encrypted both in transit and at rest.
- Multi-Factor Authentication (MFA): Implementing additional verification steps beyond just passwords.
- Incident Response Plans: Developing and documenting procedures to respond to cyber events.
- Employee Training: Regularly educating staff on best practices for protecting resident data.
These aren't suggestions—they're shaping up to be new compliance standards.
Why This Matters in LTC
LTC facilities are prime targets for ransomware. Why? Because downtime can mean disrupted med passes, missed documentation, and unsafe resident care.
You already know that paper backups and shared logins aren't secure—but changing them can feel overwhelming.
"Our weaknesses are often just our strengths taken to an extreme."
—David Rendall
Nearly 60% of small healthcare providers hit by ransomware reported days of operational disruption.
What's your plan if your systems go down for 24 hours?
Calm Confidence Starts with Small Steps
If you're feeling unsure, you're not alone. The goal isn't perfection—it's progress:
- Start by reviewing your MFA setup.
- Run a quick check: Are you encrypting data on staff laptops or tablets?
- Schedule a staff training refresher (and keep a sign-in sheet).
- Validate you are covered on your backups—ask for a list of systems, cloud applications, and key workstations, and verify that all have backups in place that are validated and tested regularly.
We can help you walk through all of this—at your pace, in plain English.
