The cyber attack on Anthem BlueCross BlueShield is being called the largest data breach ever in the healthcare industry, and a warning of things to come as criminal gangs and even nation states take aim at valuable health data stored by insurers, hospitals, doctors’ offices and others.
Anthem said the breach affected nearly 80 million customers and employees, and the haul for cybercriminals included records that could be very valuable to the thieves – names, taxpayer IDs, birthdays, medical IDs, street addresses, email addresses, and employment data, including income.
Just as the massive breach of Sony last year sent shockwaves of concern throughout industry and government, the Anthem incident is raising awareness of just how vulnerable healthcare organizations are.
Even though medical records and credit card details weren’t stolen in the Anthem breach, experts say medical identity theft is on the rise because the type of data stored by healthcare organizations is of great value for crooks. Records like Social Security numbers can be used for many types of fraud and can’t be changed easily – while a credit card can be canceled, a patient whose Social Security number is stolen could be haunted by identity theft for a very long time.
“The kinds of data we’re seeing in these most recent breaches … could open up possibilities for very significant fraud, perhaps opening up a mortgage application in someone else’s name using the combination of data and information like the loss of a Social Security number,” James Lyne, global head of security research at Sophos, said in an interview with CNBC. “There could be very significant financial and social damage as a result of this kind of data loss.”
What happened in the Anthem breach is still being worked out by investigators, but the implications are clear – healthcare organizations are now in the cybercriminals’ sites, and the consequences are significant for their customers, and for those organizations’ regulatory compliance.
In the U.S., the sharing of healthcare information is regulated under the Healthcare Information Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Healthcare organizations suffering data breaches – according to the Ponemon Institute, about 90% of them have suffered data loss in the past two years – face significant fines and penalties for non-compliance, along with loss of reputation and the threat of civil law suits.
Under the HIPAA law, organizations need to disclose breaches to affected customers, major media outlets, and regulators in order to remain compliant. And they’re required to have a comprehensive data protection policy in place.
The FBI warned healthcare companies last year that the healthcare sector is far behind other industries in terms of cyber security and data protection. With the threat growing and compliance costs looming, healthcare organizations are wisely looking to invest in better security.
What can healthcare organizations do?
Data loss prevention requires security on multiple levels, from protecting the data itself to the devices where it is stored and the people who access it.
Data encryption is essential for keeping the data secure as it moves from one place to another.
A complete data protection solution should also ensure the protection of your users’ credentials. The weakest point of any system is always the user, so your security solution needs to enforce a strong password policy; and it should allow you to lock down access for an end user who suspects their identity has been compromised.
Users, and even administrators, don’t need access to all of an organization’s files, but many have it as part of their role, making them targets. An encryption solution can fix that with a separation of duties and roles. That way even if a user’s credentials are compromised, the hacker has no way to get access to files that were encrypted with keys they do not have access to.
Learn more about how to stay HIPAA healthy
Visit our dedicated website at sophos.com/hipaa to learn more about HIPAA, and to check to see if you’re compliant.