It’s easy to become desensitized to the news of data breaches, but an incident last week should have healthcare companies on high alert. Hackers stole millions of American’s personal information in the breach, making it the largest healthcare data breach in history.
Hackers breached servers at Anthem, the second-largest health insurer in the country, which offers several Blue Cross and Blue Shield health plans across the country. The breached database included Social Security numbers, names, birth dates, addresses, employment information and email addresses for up to 80 million people.
The Importance of Protecting Healthcare Data
The Federal Bureau of Investigation (FBI) has warned that the healthcare industry is not as prepared for cyber crime as the financial and retail sectors. Just last month, experts warned that healthcare companies would see large-scale hacks in 2015. Unfortunately, their predictions became a reality with the Anthem hack.
“The healthcare industry’s cyber security practices must be more mature than other industries,” said John Harris, senior vice president of product management at SIGNiX. “Healthcare companies must move fast to protect patients against data breaches that could lead to identity theft and HIPAA violations.”
In the case of the Anthem breach, hackers gained access to enough information to open new accounts or take over a person’s existing accounts. This type of a breach leads to loss of public trust, not to mention legal and regulatory disputes.
In fact, the first consumer lawsuits around the Anthem breach have already been filed. The suits filed in California and Alabama claim that the health insurer didn’t take the right precautions to protect customer data from hackers.
“People feel violated, and the more personal it feels, the more likely we are to take notice,” Dwayne Melancon, CTO of security software provider Tripwire, said in a recent interview with HealthLeaders Media. “This may be a bellwether moment where we look back in a few years and say the Anthem breach triggered all of this and healthcare information is much more secure because of this. I hope that is what happens, because this is critical data that we need to protect.”
Authentication in Key to Safeguarding Patient Data
It’s easy enough to encourage better data security practices, but protecting healthcare data is no simple matter. Data encryption is important, but it’s not always good enough.
“You also have to have good segregation of data, where you make sure that only a select group of people can access sensitive data, that there are lots of controls around it, and make it more difficult for people to casually browse data and take it,” Melancon said.
One way to make it more difficult for hackers to access sensitive data is to use a technique called two-factor authentication. The system would combine something users know (like a password) with something you have (like a numeric code sent to your smartphone).
“Two-factor authentication is an easy way for healthcare companies to add security to their electronic health record systems,” Harris said. “This adds a layer of protection by requiring more than one type of identification before giving access to any records.”
Other experts agree, saying it’s surprising that two-factor authentication isn’t used for all systems where sensitive information is stored.
“The lesson that everyone clearly should learn is to require two-factor authentication for access to critical or sensitive data," Eric Cowperthwaite, vice president of advanced security and strategy at Core Security said in a recent interview.
Cyber security experts hope the Anthem breach will serve as a wake-up call for healthcare companies to beef up security.