Nursing homes and other healthcare entities have become the hottest target of cyber criminals, experts say. Now operators don’t have to just wait and wonder if bad things are going to happen.

Providers can tap into new security training and other free resources designed to educate their workforce on avoiding activities that can open facilities to cyberattacks.

The US Department of Health and Human Services has released a new, online platform called Knowledge on Demand that offers free training to raise awareness of cyber issues. The five topics the platform covers are social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss, and attacks against network connected medical devices, according to a press release. 

Global cyberattacks against the healthcare industry are up 74% from last year, said Brian Schnese, assistant vice president and risk consultant at Hub International. No other sector saw such a large increase, he told McKnights Long-Term Care News on Monday. 

“They’re in the crosshairs,” he said. The monetary costs can be staggering for the unprepared providers and business. Reputational damage is another major part of the carnage.

Bad actors target either facilities or third-party vendors to gain access to patient and employee data and hold it for ransom or extortion, Schnese said. Victims either must agree to pay the ransom — usually in bitcoin — or face having that information released into the dark web where it can be used in various fraud and identity-theft schemes. 

In January, McKnights reported on an attack by a cybercriminal syndicate called Hive that hit Consulate Healthcare with a ransomware attack that locked the nursing home chain out of at least a portion of its systems. In August 2021, a Wisconsin data provider for nursing homes was hit with a $14 million ransomware attack that compromised electronic billing, payment management, internet and email services. Also affected were medication ordering, electronic patient record management, and telephone services, according to Caitlin Morgan insurance services. 

Schnese said approximately 80% of ransomware attacks start with an employee or another person connected to a shared network clicking on a bad link. The links can be on websites or sent as phishing attempts via email.

“You need to make sure that employees are at least armed with awareness,” Schnese said, adding that more sophisticated educational campaigns can include sending out fake emails that look authentic to see who clicks on them. 

Nursing homes also should develop incident response plans that identify who are among the first people or groups notified of a breach and what facilities can do in-house versus external partners, such as forensic cyber investigations. 

“It’s really a matter of when, not ‘if’ any longer,” Schnese said of the likelihood of cyberattacks. 

The Department of Health and Human Services’ Knowledge on Demand platform is immediately available.