Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

This article, originally published on HealthcareInfoSecurity

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

This article, originally published on HealthcareInfoSecurity

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.