Modern field guide to security and privacy

Anthem hack may push healthcare to boost security

The mother lode of personal data stored by healthcare companies has made them one of the biggest targets for criminal hackers in recent years. The Anthem breach could be a watershed moment for bolstering security.

Michael Conroy / AP
A man walks past health insurer Anthem's corporate headquarters in Indianapolis, Thursday, Feb. 5, 2015. Hackers broke into the company's database storing information for about 80 million people in an attack bound to stoke fears many Americans have about the privacy of their most sensitive information

The data breach disclosed by health insurer Anthem Inc. this week could be a watershed moment for a healthcare industry slow to fortify its networks in the face of growing cyberattacks. 

Anthem on Wednesday said unknown attackers broke into its network and accessed names, Social Security numbers, dates of birth, addresses, and other personal data belonging to members. It said that no health information appears to have been accessed in the breach.

According to Anthem, the second largest healthcare provider in America, the database that was attacked includes records for approximately 80 million people. “Of that, we haven’t determined the exact number of people affected,” a spokesman said via e-mail.

While this attack may be the largest ever on a healthcare company, it comes as attackers are going after hospitals and healthcare companies with growing frequency. In many cases, according to security experts, they are finding easy targets. But just as sustained attacks on retailers and banks led to improved in security, healthcare may also begin strengthening its protections, too.

“Healthcare has been one of the top three targets for the last three years," says Kevin Epstein, vice president of advanced security and governance at email security security vendor Proofpoint. “The difference is they have been out of the public eye and because of that some organizations have taken a more laissez faire, wait-and-see attitude [toward security]."

Now, he said, breaches like the one at Anthem are a “scathing indictment of how at a board level, security has not been a crucial issue to date.”

With healthcare data increasingly being digitized, stored, accessed, and shared electronically, attackers have many more opportunities to go after it than before. Often, according to security experts, the data is easier to get at than sensitive information stored by financial services companies or retailers because many of the organizations digitizing health data aren't savvy enough about preventing hacks.

The Anthem hack is the second major incident involving a healthcare organization in recent months. In August, Community Health Systems, a large health network based in Franklin, Tenn., reported in a regulatory filing that hackers had broken into systems and accessed personal data belonging to 4.5 million individuals.

What's more, a chronicle of data breaches maintained by the Privacy Rights Clearinghouse shows that there have been at least 78 publicly reported data breaches involving healthcare organizations since January 2014. A survey by PricewaterhouseCoopers (PwC) last year showed healthcare organizations reporting a 60 percent increase in detected intrusions in 2014 compared to the year before, with financial losses from such incidents soaring 282 percent during the same period.

In 2014, breaches in the medical and healthcare industry accounted for nearly 43 percent of all data breaches – higher than any other industry, according to the Identity Theft Resource Center. It marked the third year in a row where breaches in the healthcare sector topped all other industries.

Yet, the trend has garnered little of the attention that the breaches at companies such as Sony Pictures, Target, and Home Depot have received. Those attacks, to be sure, have been spectacular in scope and immensely costly for the companies involved. 

But from a consumer impact perspective, cyberattacks on healthcare organizations are more troubling because of the kind of data involved.

Unlike many retail breaches, which typically involve loss of credit and debit card account information, a majority of breaches in the healthcare sector involve information that can be used to forge identities and to commit healthcare fraud. In the case of Anthem, no protected health information appears to have been accessed. But the information that was stolen – Social Security numbers, dates of birth, addresses and the like – is enough to commit identity theft on an unprecedented scale.

“It is a nightmare,” said Jaime Blasco, vice president and chief scientist at security firm AlienVault. “If the attackers had access to names, birthdays, addresses, and Social Security numbers, it means that information can be easily used to carry out identity theft schemes,” he said in an e-mail. “It means cybercriminals can buy access to the stolen data and use that information to drain your bank account, open new credit accounts and telephone accounts or even utility accounts.”

PwC, like many others, says that criminals are targeting healthcare providers and payers simply because of how valuable their data is compared to other data sets.

“A health record often comprises a full complement of information – financial, medical, family, and personal – that can be used to construct a complete identity,” the firm noted in its report last year. A complete record, containing health insurance credentials can fetch up to $1,000 in the black market compared to stolen payment card data which typically fetch about $1 a piece, PwC notes.

Ron Sadowski, director of technology solutions at RSA, the security arm of EMC Corp., said what’s going on in the healthcare sector fits a longstanding pattern.

The mother lode of personal data held by healthcare companies provides the motive that hackers need while the ongoing migration of health data to an Electronic Health Records system provides them the opportunity, he said. “When you look at any crime, it requires motive and opportunity."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.