Healthcare Information Security

Patient Privacy News

Lessons Learned from the Anthem Data Breach

By Elizabeth Snell

- The Anthem data breach should be a reminder for healthcare organizations of all sizes how important it is to have comprehensive and current safeguards in place. Just yesterday, Anthem announced that one of its data breaches containing the information of 80 million individuals was infiltrated by hackers. However, the facility immediately notified authorities, including the FBI.

It is not enough to simply try and prevent data breaches, but it is also crucial to detect them in a timely fashion and then be able to mitigate as much risk as possible should one occur.

It requires a multi-pronged approach, including a proper incident response plan, according to Patrick Wilson, Contra Costa County Health Services CISO and Assistant Director of EHR. In an interview with HealthITSecurity.com, Wilson explained that one of the best things that a facility can do is to de-value the data from an infiltration perspective. This includes encrypting all databases and ensuring that there is a segmentation of the data.

“One of the biggest mistakes companies make is keeping data for too long,” Wilson said. “Once the data is no longer useful, instead of just purging it, they keep it around.”

Jim Mapes, Chief Security Officer of BestIT agreed, adding that data collection and storage is similar to a double-edged sword. Because of that, healthcare organizations must be vigilant in their security measures.

“The more you ratchet down access, the more difficult you make it to provide that patient care,” Mapes told HealthITSecurity.com. “The more access you allow, the more risk you’re taking. The less access you allow, the less useful the data is.”

In terms of the Anthem data breach though, Mapes said that the facility did everything right in terms of notification. A system administrator detected the anomaly immediately and then Anthem reached out to the FBI and an external investigator.

“They had an immediate response – they didn’t hide anything,” Mapes said. “We’re going to see other organizations have these kinds of issues.”

What can healthcare facilities do to prevent data breaches?

Healthcare data breaches similar to the Anthem incident are only going to continue to occur, according to Mapes, and it was not surprising that one like the Anthem data breach happened in the first place.

“Organizations tend to hide their head in the sand and hope that something won’t happen until they get a chance to address it,” Mapes said. “I think a lot of them are starting to come along and understand the need to protect their data.”

Healthcare data holds a much longer shelf life than just a stolen credit card, he explained, which is why that data is becoming increasingly popular to cyber criminals. That type of information can be used to open up credit accounts, perform identity theft, medical billing fraud, and insurance fraud, Mapes explained.

One key aspect to healthcare security is having an incident response plan in place, according to Wilson. It is similar to an individual having a will, he explained. In case something happens, there is a comprehensive list that facilities can work their way through to ensure that all of their bases are covered.

“If an incident happens you go to the plan, and can check off items, such as contacting law enforcement,” Wilson said.

Additionally, Wilson recommended that healthcare facilities look into joining information sharing groups, such as the National Health Information Sharing and Analysis Center (NH-ISAC) and the Health Information Trust Alliance (HITRUST). These types of organizations have helped build architectures that healthcare facilities can follow to ensure they are adhering to all privacy and security regulations.

According to Mapes, security awareness and training throughout the entire healthcare organization is also incredibly valuable. It’s difficult for any one person or even a team of individuals to be able to have eyes and ears on everything that happens in an entity, as well as all transactions that occur.

“Having an employee workforce that’s trained to understand that, and know what suspicious activity is, then they know how to react to it,” he said. “That’s worth its weight in gold as far as prevention.”


X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks