Several weeks ago I had the opportunity to speak on a panel at a healthcare conference. In attendance were CIOs, CISOs, VPs of IT, and members of legal counsel. The individuals attending the session represented organizations ranging from small- to medium-sized business associates all the way up to large, multi-networked hospitals defined as covered entities under the Health Insurance Portability and Accountability Act (HIPAA).
As is customary at these events, the moderator of the session looked for opportunities to engage the audience. The initial “softball” question that was lobbed to the audience was one we are all too familiar with, “What keeps you up at night?”. While the answers included OCR audits, business associate management, and others; the almost unanimous response was the possibility of a data security breach involving patient information, or formally known as protected health information (PHI).
To further set the tone for this blog post, I was recently asked by a media source what my IT security predictions were for the healthcare industry in 2015. Without hesitation, my response was, “2015 is going to be the year of the MEGA healthcare data breach.” What I didn’t know at the time was how soon that prediction would come true.
As you’ve probably already heard (big news travels fast), the nation’s second largest insurer, Anthem, notified the media of a suspected data breach involving upwards of 80 million individuals. If in fact this breach affects anywhere close to that number of individuals, it will instantly dwarf the nation’s largest healthcare breach ever, which impacted just 4.9 million of TRICARE’s patients back in 2011.
News of the Anthem breach broke on Wednesday, February 5, and the associated threat vector is presumed to be an advance persistent threat (APT), or better explained as a targeted and sophisticated cyber hacking threat aimed at stealing massive amounts of data. This event hits home on a personal note because I was one of the recipients of the mass email from Anthem’s CEO informing me that I may have been one of the affected individuals – not too comforting.
There are several things that we’ve come to know, and in some cases almost brushed aside, since the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009:
1) PHI records are grossly (up to 50 times) more valuable on the black market than credit card and social security numbers;
2) Attackers have typically targeted large retailers, as seen in 2014 by Target, Neiman Marcus, Sally’s Beauty, and numerous others;
3) There is an unlimited number of threat vectors, threat agents, and vulnerabilities that could culminate into a data security breach; and lastly
4) The Office for Civil Rights (OCR) is actively, albeit delayed and without a big enough stick, auditing covered organizations and handing out million-dollar penalties in the wake of data breaches such as Community Health Systems and New York Presbyterian, both in 2014.
While this message is not an attempt to scare you into compliance, it’s a gentle nudge to remind you that the threats are real, the hackers exist, and the healthcare industry at large is at risk. More importantly, it’s a reminder that the privacy and security of patient information is of utmost concern, as recently addressed by the Obama administration’s $1.09 trillion Department of Health and Human Services budget proposal.
We all know the best way to learn is through the mistakes of others and shared information. And the best defense is a well-planned and executed, ongoing, proactive offense. So, if you have doubts about whether your PHI environment can withstand an attack or an internal incident, now is the time for action. Below is a list of Coalfire’s services that are geared towards increasing the maturity of organizational risk management and cyber security programs.
The value we propose to our customers is not a one-time “audit”, but rather a relationship built on being a trusted advisor. Should you have any questions, please don’t hesitate to reach out to me directly.
Investment/Benefit Analysis Associated with Coalfire’s Services