%20(10).png)
Raising Tech, powered by Parasol Alliance
Raising Tech is your guide to understanding the role technology plays in your community, where to invest to transform culture, and how to bring your team and residents along the journey. Tune in to explore the latest tech trends, dive into hot topics, and hear from industry experts, community leaders, and innovative vendors shaping the senior living tech landscape. Each episode is packed with practical insights and real-world stories to help you spark change and level up your community’s tech game.
You can find full demonstrations on our website of our Raising Tech Resident Exclusive Miniseries: www.parasolalliance.com/residents/
Powered by Parasol Alliance, The Strategic Planning & Full-Service IT Partner Exclusively serving Senior Living Communities.
Raising Tech, powered by Parasol Alliance
109. What You Need to Know About Cybersecurity in Senior Living
In this critical episode of Raising Tech, host Amber Bardon is joined by two of Parasol Alliance’s finest: Sean Sheldrake and Jake Wigfield-Gorka. Together, they dive into what an MSSP (Managed Security Services Provider) is and why it really matters for senior living communities.
From phishing attacks to insurance compliance, this episode sheds light on how threats are evolving faster than ever and why relying solely on traditional IT services may no longer be enough. You’ll also hear what tools and strategies are essential for protecting your staff, residents, and operations from the ever-changing cybersecurity landscape.
Learn more about our MSSP services on our website.
Amber Bardon: [00:00:00] Yes, welcome to Raising Tech podcast. I'm your host, Amber Barden, and on today's episode, we have two of Parasols Finest employees, Sean Sheldrake and Jake Wigfield-Gorka Sean is our security engineer. Jake is our solutions engineer, so he works on our strategic plans. Welcome to the show.
Jake Wigfield-Gorka: Thank you, Amber.
Amber Bardon: So today we are going to talk about security, also known as MSSP. And so you may have heard the term MSSP and don't know what that means or what is the difference between MSSP and MSP, which sound very similar, but are different things. So I'm gonna lead off today's topic just by clarifying those two points.
MSSP stands for managed security service provider. And that would [00:01:00] be a company, an outsourced IT company that would be focusing on security services. So a lot of MSPs, which is managed services provider. Also offer the security services. And then there are some companies that only offer the security side or just MSSP.
But the main difference between these two different offerings is that an MSSP or security service offering will typically include. Additional products that have to be purchased separately, such as pen testing or vulnerability scanning, and we'll get into those today. But it's, it's a product as well as a service.
Some of it is just service-based, but it's usually a combination of products and services. So at Parasol Alliance, we added this service line. In 2022. So something we thought about in 2021, and then we decided to add it in 2022. And the primary reason we decided to add this service line is we noticed a [00:02:00] trend with our clients coming to us, letting us know that their cybersecurity insurance companies were suddenly denying them coverage or asking for additional things to be in place.
And we'll talk about what some of those are today. I think that there have been different milestone moments in senior living tech that have pushed the industry in a certain direction. So one of those would be COVID.
That's the most obvious one that comes to mind, but I do think that the insurance companies forcing these regulatory changes is another major change and a major shift in the way that the senior living industry overall thinks about security. I think up until that point, most senior living communities.
And maybe this was true, but most senior living communities either were or had the idea that they're too small to be attacked, that they're not gonna be bothered, that they're not gonna be targeted, that hospitals are more of a target bigger companies. And as well asked Sean to talk about that. That has changed.
It's so much easier now to perpetuate [00:03:00] attacks and to have phishing scams and things like that. So the cybersecurity insurance companies saw that risk, they decided to mitigate it, and they started requiring a lot of these additional services.
And so, you know, some of them are more standard than others. So, for example, MFA, so everybody on the call who had to go through MFA, didn't want to and blamed your IT department. It probably wasn't your IT department's fault, it was probably the insurance company requirement. And so, it's something that needs to be on every senior living community's mind.
And you need to be thinking about security. You need to be planning how you're going to handle it. What tools do you have in place? And yes, there is additional spend required around this. And I'm sure as Sean and Jake will mention, you know, the, the potential risk. Potential financial implications of not having preventative measures in place are real, and they have real world impacts.
So with that introduction, I am going to ask both Sean and Jake, what does security [00:04:00] mean to you? What does security mean? Let's start with you, Sean.
Sean Sheldrake: Security to me encompasses what our, uh, MSSP program actually, um, entails. Uh, so it entails a few different service lines, which includes email security and training. Vulnerability scanning, which is also known as internal pen testing. External pen testing, HIPAA security risk assessment, which is just a review of the HIPAA security rule based on standards from H-H-S-P-C-I, compliance assessments, and then, uh, what we call managed monitoring through basically a, a managed detection to response service.
Jake Wigfield-Gorka: it's A constantly evolving landscape, right? So you have all these different toolkits in play, but it's something that changes, you know, every week. Something that is constantly evolving. You're constantly having to reassess and look at the toolkit that you're utilizing and make sure it's appropriate for the infrastructure that you have in place.
Amber Bardon: Yeah, I think. When we talk about what is security, it's a complicated question, right? Because there are so many different aspects to security. There is actual security tools, there's [00:05:00] preventative measures, there's what happens if you have a security incident and what's the aftermath of that and how do you recap and how do you, um, come back from those issues?
There's education with staff. There's configuration into your technology systems such as your, you know, your switches and your firewalls and things like that. And then there's things that we all know about, like antivirus that are, you know, more basic and have been around for a long time.
What would be, you know, what would be the best way to approach security overall? And I'll let either one of you answer, but if you are thinking about, you know, a combination of all these different components, what would be the strategy?
Sean Sheldrake: So a good security strategy would be, you know, with your environment and what, you know, having maybe even a third party come in and assess that.
Creating some type of strategic plan to meet with your existing IT team, review everything, see what's going on, and just see where those gaps are between, you know, your systems, uh, your processes, and even physical security. Like [00:06:00] things as simple as, um, you know, is your server room unlocked is a key factor in security, not just, you know, do you have the latest patch on your firewall?
Jake Wigfield-Gorka: Right. And it's a really common phenomenon when I go in and do these strategic plans at communities that we see a lot of tribal knowledge, but the team knows what they know. They don't have that outside perspective and gaps in their security exists because they're just not aware of that you know, either current technology or current vulnerabilities.
Um, so it's important to have that set of fresh eyes on the environment just see what's going on or where things could be better improved.
Amber Bardon: Yeah, I, I mean, you need to have some sort of strategy in place and you need to be, and I, I always like to tell clients that security is a matter of risk versus convenience.
Because the more secure you are, the less convenient it is usually. Right? Yes. And so each organization has their own tolerance. For that balance between those two things. You know, the organizations that are going to [00:07:00] sacrifice convenience for the most secure, their staff are probably not gonna be very happy with the user experience.
Um, and then the opposite, you know, you're gonna get into possibly some trouble if you don't have, you know, if you're going to far in the convenience side. So I remember there was one client we worked with and, and I think we changed this after they became a client, but they had some sort of, uh, encryption.
And they, every time they turned on their computer, they had to type in like a 15 character password just to get in their computer like every single time and after they walked away for five minutes. You know, that might be an example of being too extreme. Uh, but that being said, what have we seen as far as.
Security, I don't wanna say trends because that makes it sound like it's a good thing. I would say security, security issues, like what are the major issues? And then I guess trends could be like, what are some of the trends and solutions out there that we've seen?
Sean Sheldrake: I would say there's a lot more sophisticated phishing trends that have been going on. There's a lot of variables with phishing now. It's no longer [00:08:00] just. A weird email. Click this link. It's AI created emails that are creating deep fakes or spoofing individuals. It's, um, you know, direct send vulnerabilities where they're bypassing your email filter and getting to you directly and, and looking like they're from your organization.
Um, and all these methods nowadays are also, being created in more sophisticated programs with the assistance of ai. It's allowing those, um, those nefarious individuals that use these programs to have easier access to implement them and try to engage organizations with that. And that, that's definitely not making things easier
Jake Wigfield-Gorka: for sure.
Yeah. The skill level required to get into the bad actor realm is a lot lower. And that means that the volume of overall phishing campaigns is up, right? So, you don't have to have a skilled hacker. Everybody pictures the guy in the basement with his hoodie on, you know, his hood up.
Yeah. It's not really the way that hacking is, right? You just have people sometimes utilizing software ai that are just trying to trick [00:09:00] your workforce. Uh, so it's a lot about you know, education of the team itself.
Amber Bardon: What's the new one you guys were telling me about the other day that you, that you can buy for $150?
Jake Wigfield-Gorka: Yeah. Ty uh, typhoon. Is that
Sean Sheldrake: it? Yeah, I think it was Typhoon two FA, which was, uh, creating basically those direct send emails that can go out.
Amber Bardon: Yeah. So. You know, just the, the entry into being a hacker, you don't have to have the hoodie and be in a basement anymore. You
Sean Sheldrake: just need a credit card.
Um,
Amber Bardon: yeah, it, it's just so much lower entry. And this is why it's so important to have some sort of strategy and plan around this. So what are the opportunities to be proactive with security?
Sean Sheldrake: Touching on what Jake had mentioned education is the biggest thing. You can have all the features in the world, but in security there's sometimes a saying where we're the biggest threat is actually those that are internal.
Because if an individual makes the wrong mistake or provides the wrong credentials and that person has a certain level of access, it [00:10:00] can lead to things getting out of control. So education on knowing where you should be putting your credentials you know, how your IT systems function to at least some basic understanding of what you know, you as an employee should be doing.
And just being aware of, you know, basic cybersecurity trends. You know, just watching for weird things in emails, looking for things like urgency and trust. Trust but verify. You may have worked with a vendor before, but if something's weird, use another alternative method to contact them. Hey, is this legitimate?
Instead of, you know, emailing it back.
Jake Wigfield-Gorka: Then on the infrastructure side, we should be constantly reassessing if we're using the appropriate tools and equipping the environment appropriately to deal with the threats that are coming in. We see really regularly when we do strategic plans that very few clients are using any sort of siem or MDR service.
They're working without all the information that they need. So there's this major gap in their security. Lots of people that are not doing vulnerability tests, lots of people that are not doing penetration tests. All of this data is what helps you build a [00:11:00] secure environment.
Amber Bardon: So it sounds like we need a combination of configuration and education in the systems we already have layered. On top of some of these additional services that listeners may not have today. So can we talk a little bit more about those additional services? So if you had to pick just one of those services, what would you pick and why?
Sean Sheldrake: That's a good question. And I'm gonna give you a two part answer 'cause it kind of tied. For me personally, be the email security. For the training piece, like I was talking about, but also our, uh, M-D-M-D-R service managed detection response has a lot of automated features for even if an individual does make a mistake or if there is something odd with a, a security threat going on, it provides you that insight and automated action to help lock down those situations very quickly as opposed to not having that system, you wouldn't even know there may be going on.
I'm kind of tied on those two. I think they're both. Equally important.
Jake Wigfield-Gorka: [00:12:00] Yeah. Uh, I'll, I'll agree with Sean. I mean, it's hard to say one tool in particular, right? Because all of them together create the posturing that you need. But I think that MDR gives you, I mean, it's, it's all encompassing, right?
You have logs coming from your switching, you have logs coming from your workstations, your servers, your 365 environment. All of that is being aggregated and reviewed automatically. So you're aware if something goes wrong right away, you have alert. And then there's, as Sean mentioned, SOAR actions where those accounts are locked down as a malicious attempt is made on those accounts.
Amber Bardon: Jake, this is a question for you. So one of the things that we have as an optional service is a CIS assessment. So there are standard security frameworks out there because I know we get asked by clients, you know, how do I measure up against other senior living communities? How do I measure up against industry standards?
And can you explain what is a CIS assessment and how would it be beneficial to an organization?
Jake Wigfield-Gorka: So it's a security framework. It's based [00:13:00] on some Microsoft baseline security configurations. Basically just checks all different aspects of your cybersecurity posturing and just checking to make sure that you have things in place. So it'll recommend best practices. It's also gonna make sure that you have the appropriate policies in place if something does go wrong, that you have the appropriate planning in place to recover from that incident that has occurred.
It's just a good way to benchmark yourself against best use. And, you know, we always preface like nobody's ever gonna get a hundred percent on one of these CIS assessments. They're really, really thorough. And there's a lot of things that aren't gonna make sense in all environments, but if you use it as a guideline, it can help you create a really secure and well run environment.
Amber Bardon: Sean and Jake, I hope, and I think our listeners have learned something from listening to this podcast today to help navigate this confusing and sometimes scary security landscape these days.
Is there anything that we haven't talked about that you would wanna offer as advice to anyone listening?
Jake Wigfield-Gorka: [00:14:00] Yeah. Never let yourself get comfortable, right? It's a constantly evolving landscape. Like I said previously, you need to constantly be reassessing and watching these things, otherwise they're gonna get outta hand. A bad ransomware attack can destroy a business down to the ground, so you have to be constantly vigilant.
Sean Sheldrake: Stay informed. And similar to the ransomware, we've seen it time and time again where people delay on actually act acting and preemptively getting these things evaluated and, and actually implemented. And then it takes that one negative, big, bad incident that unfortunately costs money before they actually make a change.
Don't, don't be that business. Yeah. Get ahead of the game.
Jake Wigfield-Gorka: Yeah. Everyone wants the fancy tools after they've been attacked.
Amber Bardon: Every time there's a big company in the news about having a data breach, I'm, my first thought is somebody in it was warning them
Jake Wigfield-Gorka: hundred percent. There was somebody
Amber Bardon: in IT who was telling them this was gonna happen and they didn't wanna spend the money and that it happened.
So listen, go hug your IT person. Ask them what [00:15:00] they have to say. And that's all I have. Thank you so much for coming on the podcast today.
Jake Wigfield-Gorka: Hey, it's pleasure.
.png)