Bridging the Cybersecurity Gap in Arkansas for Vulnerable Groups

By: Heather Carmichael

Disclaimer: The views expressed in this post are those of the author and do not necessarily reflect the views of the Journal, the William H. Bowen School of Law, or UA Little Rock.

Globally, cybersecurity regulation has evolved into a patchwork of rules and agreements designed to promote cross-border collaboration. The General Data Protection Regulation (hereinafter “GDPR”) of the European Union establishes high standards for data privacy, breach notification, and individual rights. Antonia Vlahou et al., Data Sharing Under the General Data Protection Regulation: Time to Harmonize Law and Research Ethics?, 77 Hypertension 1029–1035 (Feb. 15, 2021), https://doi.org/10.1161/HYPERTENSIONAHA.120.16340. These regulatory efforts by the European Union provide valuable models, but without national support and adaptation, states like Arkansas risk falling further behind in protecting vulnerable populations.

Although the GDPR sets stringent requirements for data breaches and imposes hefty fines for non-compliance, most senior care facilities in Arkansas struggle to meet these requirements. At present, many facilities only maintain a basic level of cybersecurity. Author Vagelis Papakonstantinou highlights the GDPR’s deletion requirements and strict safeguards for sensitive information. Vagelis Papakonstantinou, Cybersecurity as praxis and as a state: The EU law path towards acknowledgement of a new right to cybersecurity?, 44 Comput. L. & Sec. Rev. 105653 (Jan. 29, 2022), https://doi.org/10.1016/j.clsr.2022.105653. This could serve as a model for Arkansas legislation governing senior care providers. However, due to a lack of national support, limited technical capacity, and insufficient funding, it makes it difficult for resource-constrained jurisdictions, including Arkansas, to meet global cybersecurity standards.

Arkansas reflects broader tensions between state sovereignty and international cybersecurity guidelines. For instance, some senior care facilities in Arkansas resist state-imposed cybersecurity rules, framing them as an example of government overreach. Without systematic reform, these vulnerabilities will continue to put elderly residents at heightened risk of cybersecurity threats. New cybersecurity incidents in Arkansas reveal patterns.

Repeated incidents in Arkansas, such as the 2020 Blackbaud ransomware breach, the 2022 ARcare healthcare hack, and the recent 2023 Kisco Senior Living incident, highlight the persistent cybersecurity vulnerabilities in the state’s digital infrastructure. Anthony Minnaar & Friedo JW Herbig, Cyberattacks and the Cybercrime Threat of Ransomware to Hospitals and Healthcare Services During the COVID-19, 34 Acta Criminologica: Afr. J. Crim. & Victimology 155 (Dec. 1, 2021), https://journals.co.za/doi/abs/10.10520/ejc-crim_v34_n3_a10. These breaches are indicators that Arkansas’s system for caring for its aging population is insufficient.

The Blackbaud ransomware attack in 2020 compromised records that contained sensitive health and financial data for seniors. The absence of active anomaly detection further aggravated the breach. The attackers’ preliminary actions could have been identified in advance through artificial intelligence (AI)-driven monitoring tools, potentially preventing the theft of sensitive data. Radina Stoykova, Digital Evidence: Unaddressed Threats to Fairness and the Presumption of Innocence, 42 Comput. L. & Sec. Rev. 105575 (Sept. 2021), https://doi.org/10.1016/j.clsr.2021.105575. This situation illustrates the costly consequences of relying on outdated or inferior detection systems, particularly in industries that handle sensitive information.

In 2023, Kisco Senior Living was a victim of a third-party vendor breach that caused a leak of 26,000 records. Steve Alder, Kisco Senior Living & Island Ambulatory Surgery Center Disclose Summer 2023 Cyberattacks, HIPAA Journal (Apr. 23, 2024), https://www.hipaajournal.com/kisco-senior-living-island-ambulatory-surgery-center-data-breaches/. This incident was an underestimated threat to cybersecurity: third-party vendors. In all instances, a common factor is the lack of investment in proactive cybersecurity measures. Moreover, there are key steps that lawmakers and senior care institutions should consider implementing to protect vulnerable groups in Arkansas.

First, lawmakers should develop AI-based compliance regulations that allow senior care institutions to adopt AI-based auditing solutions. These tools continuously scan for vulnerabilities, ensure software compliance, and verify that access controls are effectively in place. To support their adoption, state-level grants could be allocated to fund these tools. Pilot programs have already demonstrated the effectiveness of AI implementation, with reports indicating AI can reduce breach response time by up to 72%, making it both efficient and cost-effective. O.L. van Daalen, The Right to Encryption: Privacy as Preventing Unlawful Access, 49 Comput. L. & Sec. Rep. 105804 (May 16, 2023), https://doi.org/10.1016/j.clsr.2023.105804.

Second, to cooperate in combating cybercrime, states must establish an AI-supported education team that is dedicated solely to elder fraud cases. The most inefficient process contributing to the delay in prosecuting cybercriminals is the slow rate of Mutual Legal Assistance Treaties (hereinafter “MLATs”). These agreements between states allow the exchange of evidence and legal assistance on criminal matters. However, the bureaucratic hurdles, differing legal systems, and the need for translations and diplomatic negotiations often delay these processes. This prolonged system hampers effective regulations for curbing cybercrime in Arkansas.

Third, the EU Artificial Intelligence Act (EU AI Act) is a recent effort that aims to regulate the application of AI systems. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on Artificial Intelligence, 2024 O.J. (L 1689), https://eur-lex.europa.eu/eli/reg/2024/1689/oj. The Act categorizes AI applications based on risk. This categorization primarily applies to high-level systems that require rigorous requirements, especially those that involve critical infrastructure, healthcare, or personal data. This model should be used to guide regulatory efforts in the United States. Particularly in Arkansas, because of the heightened need for a regulated environment, especially for our aging generations.

Finally, appropriate privacy-preserving AI methods, such as differential privacy, must balance security and the individual’s right to privacy. These methods will enable the AI systems to study data trends without revealing personal details. In the case of older populations, the mitigation steps provided by differential privacy do not entail trading privacy for personal integrity or personal data security. Christine Carpenter, Privacy and Proportionality: Examining Mass Electronic Surveillance Under Article 8 and the Fourth Amendment, 20 Int’l & Comp. L. Rev. 27 (Oct. 13, 2020), https://doi.org/10.2478/iclr-2020-0002.

In conclusion, the cybersecurity vulnerabilities faced by Arkansas senior care facilities are not isolated incidents. They warn of what underprepared systems endure in the face of global cyber threats. By adopting AI-powered auditing, AI support teams can target fraud against the elderly, using the EU AI Act as a reference, and apply privacy-preserving AI methods. Arkansas would be able to progress in protecting the most vulnerable groups from cybersecurity threats.