Even though when people are talking about healthcare data breaches, people only typically think about hospitals or big health systems, long-term care facilities are very sensitive and rarely get the same amount of attention. Long-term care facilities provide ongoing medical assistance through various types of nursing facilities or assisted living facilities. They also document patient information in extremely detailed formats that can span multiple months or years.

Due to these two reasons, data maintained by long-term care facilities is both extremely valuable and also extremely susceptible to cyber attacks.

The recent IPPC data breach highlights how pharmacy providers that provide services to long-term care facilities maintain a significant amount of patient data. These databases have been established to be used for providing continuous care and to record not only snapshots of patient data, but also to record a patient's entire medical course of care.

Long-term care typically involves ongoing treatment of patients, including continual monitoring of a patient's condition, managing medication regimens; therefore, there will be very detailed records of the treatment a patient receives. Thus, long-term care databases contain comprehensive datasets of a patient including identifying data, prescription data, diagnostic data, insurance data, and virtually any other relevant data, all of which will be connected to a single patient record. Generally speaking, the worse the data, the greater the value of the data and the larger the risks if that data is compromised due to the extensive level of detail about a patient included in long-term care databases.

Continuity is one of the most important characteristics of "long term care (LTC) data". LTC patients receive most of their care over a long period of time, so their LTC records must be continuously updated and expanded. As a result, LTC data comprises a "live" dataset that captures patients' changing health status, treatments received and interactions with providers over time. When unauthorized users receive access to LTC data, the extent to which that unauthorized access allows these users to access very detailed personal and health information far exceeds their access to isolated health records.

The recent breach of the IPPC database is an illustration of how quickly a hacker can gain access to LTC data once a security breach of a network occurs. Even a short period of unauthorized access to an LTC database allows a hacker to copy or view a significant amount of LTCT data. Because many LTC data databases have been centralized to provide more efficient care to patients, unauthorized access can potentially result in an increase in the amount of LTC data exposed to unauthorized users.

Another reason that LTC data is sensitive is that the LTC patient population is generally considered a more vulnerable patient population. LTC patients are dependent upon having continuity of care provided to them and require significant support from their providers. The unauthorized exposure of LTC patients' personal and medical data creates situations wherein LCT patients may be at an increased risk of having their personal information used for identity theft, committing financial fraud and inappropriately utilizing healthcare benefits.

In addition to all of the above reasons, LTC data contains medical and financial data, which provides multiple opportunities for criminals to exploit patients' LTC data. Medical and financial data included in LTC records, such as health insurance information, billing information, social security numbers, etc., can be used to commit sophisticated fraud that is difficult to detect immediately and which would likely not be detected if the patient's LTC data had not been stolen.

The IPPC data breach draws attention to a broader healthcare cybersecurity challenge—protecting the complex, interrelated systems that process large amounts of highly sensitive data. Since digital platforms are being increasingly relied upon by healthcare providers, it is critical that the security of the associated systems is adequately ensured.

Organizations must take steps in this regard by putting in place layered security controls, including access controls, encryption, and continual security monitoring. They must also regularly evaluate their system for vulnerabilities or weaknesses in the system or with their third-party integrations to limit the possibility of an unauthorized user being able to access that system.

Patients and their families can help themselves as well. By being aware that their long-term care data is stored and used by many systems, they can take proactive steps to monitor and maintain the integrity of their data and respond to any potential risks.

As the overall healthcare landscape transforms, long-term care will remain an important part of how a patient is cared for. Incidents like the IPPC data breach are a reminder that the most sensitive data often has the longest persistence and that ongoing efforts—both from a technical and behavioral perspective—are necessary to defend against exposure.