Feb 10 2015

Anthem – What should you do about it?

Anywhere you look lately, someone is falling victim to a data breach. In 2014, Sony was the biggest name that fell victim to a cyber attack and subsequent data breach. And around the time of that massive breach, experts began to sound an alarm for pending attacks, likely targeting the health care networks. MIT went so far as to call 2015 the year of the health care hack.

And, with news of the massive Anthem breach breaking late on February 4th, even if no other substantial breaches were to happen in 2015, they would be correct. The Anthem breach impacts upwards of 80 million records, though as of this time, no one outside of the criminals knows precisely how extensive the exposure will be.

There are a couple important reasons why personal health information is considered a prime target. For one thing, as hospitals and health care organizations migrate from paper to digital records and are looking to replace paper charts with tablets and such, the focus has largely been on functionality, not security. Also, healthcare costs have risen, so organizations are always looking for ways to avoid costs-which can mean that necessary infrastructure that would cover security gets delayed or ignored. And then there is the motivating factor for cyber criminals: while harvested credit card information could be worth about a dollar per record, harvested PHI is estimated to be worth 10 times as much (http://www.net-security.org/secworld.php?id=17917) due in large part to what the records contain. If you were to gain access to someone’s health information, you could easily engage in identity theft.

As a customer, what can you do? Sadly, not much, as the ones to secure the data falls to the organizations. As a result of the breach, Anthem is now paying for credit monitoring and ID protection services for all impacted; you could also do this on your own to remain vigilant, as it’s one way to protect from future issues.

As an IT provider or decision maker in such an at-risk organization there are a number of things you could do. First, performing risk assessments and security audits-both internally and via a 3rd party-would be wise expenditures of time and resources. Having regular vulnerability assessments performed will allow you to be confident that your network is in better shape to ward off attacks. Also, it is imperative to make sure all systems are running the most up to date, vendor recommended patches. Usually patches are released in part to address security holes, so failing to maintain an up-to-date code level could leave you exposed to attacks that should have been prevented. Lastly, having regular training with employees to ensure they are aware of any social engineering exploits and how to handle them is crucial, as a firm’s employees tend to represent a major ingress point.