"A lot of people think that if they put a password on an iPad or iPhone or laptop that it should be secure and no one should be able to get into it or access the information on it," says Scott Ranson , CIO at Brentwood, Tennessee-based Brookdale Senior Living . In reality, "someone with just a little bit of know-how can break that password in about five minutes."
Many senior living executives and staff members are similarly misinformed when it comes to the risks of accessing public Wi-Fi with a work device or computer, he adds.
"If you're at, say, Starbucks
and you connect to their free Wi-Fi with your laptop, anyone who's on that same unprotected network could potentially hijack your session.
You could close your laptop, walk away and they could still be you on the Internet."
The point of all of the above, Ranson
says, is to get senior living professionals to realize "there are many ways to break into your devices and computers and steal your residents' personal and private information if you aren't careful, if you aren't properly prepared."
Another way of putting it, "if you think you've got things secure, think again-because, really, from an IT-security standpoint, it's not a matter of if, but when, a security issue's going to impact your company.
"We in senior housing spend a lot of time, money, and effort making sure the physical well-being of residents is intact," Ranson
"But how much time, money, and effort do we spend taking care of residents' digital well-being-making sure our systems are secure so their Social Security numbers, medication histories, bank accounts, and more are adequately protected?"
Not enough, he
So, how should senior living companies go about improving that situation?
Here are some steps in the right direction.
1. Determine whether your company is a HIPAA-covered entity.
"To me, figuring out if you're covered is the first step a provider should take in this situation," Ranson
That may sound like basic advice, but in Ranson's experience too many people in the senior living space don't know if their company is a covered entity or not.
also concerned that too many of his
colleagues don't understand the term "hybrid entity"-which means some of a provider's communities are covered by HIPAA and some aren't.
"I can tell you that Brookdale
is a hybrid entity, because some of our communities take government reimbursement for services and some do not," he
Even if you're not a covered entity or a hybrid entity, it doesn't mean your organization is off the hook, Ranson
"In all cases, state privacy rules play a factor in what happens when there's a [data or information] breach," he