Security padlock and circuit board to protect data.
(Credit: Yuichiro Chino / Getty Images)

The “social healthcare model” of senior living should preclude it from being included in proposed new cybersecurity incident reporting requirements designed for entities considered to be critical to the nation’s infrastructure, according to one senior living industry advocacy organization.

Last week, the American Health Care Association / National Center for Assisted Living submitted comments in response to a proposed rule from the Department of Homeland Security. The Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, would require entities, including healthcare providers, to report to the Cybersecurity and Infrastructure Security Agency, or CISA, informing them of cybersecurity incidents within 72 hours and any ransom payments made in response to ransomware attacks within 24 hours.

The proposed rule already suggests excluding assisted living communities, nursing homes and facilities for individuals with intellectual and developmental disabilities from the proposed reporting requirements. In a letter to DHS, AHCA/NCAL Associate Vice President of Therapy Advocacy Daniel Ciolek outlined the groups’ support for that exclusion.

CISA proposed limiting the scope of the policy to hospitals with 100 or more beds, as well as critical access hospitals, a scope that AHCA/NCAL said rightly focuses attention on the major cybersecurity risks related to critical healthcare infrastructure. 

Unlike other healthcare settings, the letter stated, most individuals living in long-term care facilities and communities are residents who consider those settings to be their homes. AHCA/NCAL agreed with CISA’s assessment that although healthcare and public health sector entities that provide direct patient care could be subject to disruptive cybersecurity attacks, it would not be “prudent or cost-effective to require covered cyber incident and ransom payment reporting from every individual provider of patient care.”

“The majority of our member communities have a resident census of less than 100 people, and all are required to have emergency preparedness policies and procedures to have critical medical and operational information available to be used and exchanged with other providers and public health officials during natural and man-made events,” Ciolek wrote.

He acknowledged that establishing cybersecurity practices is critical to providing  “uninterrupted high-quality care” and achieving “crucial efficiencies” to lessen the strain on the nation’s healthcare system and caregivers.

But the absence of federal support, and limited federal priorities to integrate the data needs of the long-term and post-acute care sector, has led providers to “organically” develop a data infrastructure customized to their workflows, Ciolek said. That infrastructure includes collecting and tracking quality measurements, conducting medication management, guiding appropriate resident and patient assessments, transitions of care and public health reporting. 

Aligning those data sets to exchange a person’s health information and an interoperable efficient and secure manner, AHCA/NCAL said, would require federal leadership and time. Pointing to a recent report from the Office of the National Coordinator for Health Information Technology, Ciolek noted that the federal government found that only 17% of hospitals are able to routinely send interoperable health information to long-term and post-acute providers, and only 8% of hospitals were able to routinely receive such information from LTPAC providers.

“This suggests that LTPAC providers will remain at a low risk for creating any significant systemic healthcare system disruption that CIRCIA seeks to prevent, such as the recent Change Healthcare cybersecurity incident,” Ciolek wrote. “Until such health IT interoperability advancements are ubiquitous across all LTPAC providers and interoperable information exchange becomes routine, we do not believe the CIRCA provisions proposed in this rule should be expanded in future rulemaking to LTPAC healthcare providers, including those nursing facilities, assisted living residences and ID/DD community providers AHCA/NCAL represents.”

The use of electronic health records systems in assisted living greatly trails use in nursing homes, according to recently released data. The percentage of residential care communities using EHRs was 48% in 2022, according to the US Centers for Disease Control and Prevention’s National Center for Health Statistics. By comparison, a study published in December 2023, prepared by RTI International for the Department of Health and Human Services Office of the Assistant Secretary for Planning and Evaluation, found that EHR adoption in nursing homes was at 84%.