Health data breaches: No one is immune

By Rick Kam
07:48 AM

Up to one-quarter of Americans may have been affected by the Anthem Healthcare data breach in February — estimates that dwarf last year’s Community Health Systems breach by an order of magnitude. All healthcare organizations are at risk for a data breach.

Just this month, in fact, Premera Blue Cross reported a possible breach of 11 million records, and Redmond, Ore.-based Advantage Dental notified more than 150,000 patients of a recent breach. It’s no wonder that experts have predicted that 2015 will be the year of the healthcare data breach.

The reason for this is simple. While hackers managed to exploit vulnerabilities in point-of-sale systems in 2014, retailers and software vendors are moving to close those gaps. Symantec, in the meantime, reports that healthcare cyber attacks increased 72 percent from 2013 to 2014. And while financial businesses will quickly detect and shut down fraudulent activity, stolen healthcare information can go undetected for years (in part due to some of the privacy protections provided by HIPAA) and used in many profitable ways.

"The ability of health care companies to compile data has grown far faster than their ability to protect it," Boston University health policy professor Alan Sager is quoted as saying in an article on iHealthBeat. With the regulatory requirements and financial incentives of the HITECH Act, healthcare providers and insurers have moved quickly to implement electronic health records (EHRs) in organizations that, unlike financial institutions, often don’t have mature data protection programs and systems in place.

One month before the Anthem breach, in a Healthline article, James Christiansen, vice president of information risk management at cybersecurity firm Accuvant, warned of “a significant increase in the threats to the healthcare ecosystem,” citing a laundry list of factors including:

• The ease of access to EHRs over the Internet
• Often antiquated computer systems with out-of-date security software
• Proliferating devices that create a growing attack surface
• Sometimes insecure information sharing in the increasingly complex healthcare ecosystem;
• Focusing on patient health, while neglecting the security of patient data

Providers beware: Data care is self care
To combat breaches, providers need to recognize that data protection is a core part of their missions, affecting both patient health and the health of their businesses. There are three core lessons the healthcare industry can learn from recent data breaches — lessons that privacy and security teams must act on now:

Lesson 1: Invest in privacy and data security now. A new Ponemon study reports that security professionals in the U.S. feel ill-prepared to defend against cyber attacks, citing lack of resources and inadequate expertise as the biggest barriers to security.

Lesson 2: Minimum compliance requirements aren’t sufficient to protect patients or the business. Congress is taking a hard look at the Anthem breach, and the National Association of Insurance Commissioners has instituted an investigation that may ultimately include review of Anthem’s operations in all U.S. states and territories. One result of all the scrutiny may be new industry-wide data security requirements.

Lesson 3: Security technology is not foolproof. Asked about encryption, an Anthem spokesperson explained that the hacker used a system administrator's ID and password to breach its information systems. U.S. News reported that the attackers had access to five sets of security credentials, possibly obtained by phishing.

Facing up
It is past time for healthcare organizations to implement a 360-degree data privacy and security approach that includes:

• Risk analysis to identify vulnerabilities and guide spending
• Updates to outdated security systems
• Policies and procedures plus employee training to ensure that they are followed
• Awareness programs to help combat phishing and social engineering
• Ongoing monitoring to identify incidents early and mitigate damage
• Robust incident response programs and tools 

This year’s Global State of Information Security Survey by PriceWaterhouseCoopers sums it up perfectly: “A sweeping transformation of the health economy is well underway. Connected technologies, big data analytics and electronic health records are combining to redefine consumer demands and business models. At the same time sophisticated threat actors are devising new ways to compromise and steal digitalized medical data. Taken together this inexorable shift will demand a re-thinking of information security. At the heart of this initiative ought to be a risk-based cyber security program to identify, manage and respond to privacy and security threats.”

Truer words were never spoken.

Rick Kam is president and co-founder of ID Experts