Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions

Anthem’s Breach Highlights Calls for Stronger Cyber Security, Gap in HIPAA


Anthem’s Breach Highlights Calls for Stronger Cyber Security, Gap in HIPAAAnthem’s Breach Highlights Calls for Stronger Cyber Security, Gap in HIPAA

Health Insurer Data Breach Spotlights Vulnerabilities

Back in December we featured a report by Experian that highlighted the healthcare industry as one of the most vulnerable to data breach and will see increasingly more attacks in 2015. The risk is so great that in April of 2014, the FBI released a private notice to the healthcare industry warning providers that their cyber security systems are lax compared to other sectors. Now only a month into the new year, we have news of a massive breach at health insurer Anthem.

According to experts, the information at Anthem, one of the nation’s largest health insurers, was vulnerable because it did not take adequate steps, such as protecting the data in its computers though encryption, in the same way it protected medical information that was sent or shared outside of the database (to physicians, for example). It’s important to note that the main federal health privacy law – the Health Insurance Portability and Accountability Act, or HIPAA – encourages encryption, but doesn’t require it.

“We need a whole new look at HIPAA,” said David Kibbe, CEO of DirectTrust, a nonprofit working to create a national framework for secure electronic exchange of personal health information. “Any identifying information relevant to a patient … should be encrypted,” said Kibbe. It should make no difference, he says, whether that information is being transmitted on the Internet or sitting in a company database, as was the case with Anthem.

The Anthem Breach

The hackers gained access to up to 80 million of Anthem’s records that included Social Security numbers, birthdays, addresses, email and employment information and income data for customers and employees, including its own chief executive. To date, there is no evidence, however, that credit card data or medical information was compromised. Ongoing forensics may discover otherwise, caution experts.

It’s believed that hackers infiltrated the insurer’s networks by using a sophisticated malicious software program that gave them access to the log-in credential of an Anthem employee. “This is one of the worst breaches I have ever seen,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group to the New York Times. “These people knew what they were doing and recognized there was a treasure trove here, and I think they are going to use it to engage in very sophisticated kinds of identity theft.”

Will Stronger Cyber Security Measures be Required?

Encryption has been seen as a controversial issue in the healthcare industry, particularly with data that’s only being stored and not transmitted. Encryption adds costs and can make day-to-day operations more cumbersome. It can also be defeated if someone manages to decipher the code or steals the key to it. In fact, according to the Associated Press, Anthem spokeswoman Kristin Binns said encryption would not have thwarted the latest attack because the hacker also had a system administrator’s ID and password. She said the company normally encrypts data that it exports.

However, some security experts said a stolen credential by itself shouldn’t be an all-access pass to encrypted data. Martin Walter, senior director at RedSeal Networks, a Silicon Valley cyber security firm, said encryption could be tuned to limit the data that even authorized users can view at one time. That makes it harder for an outsider to copy a whole stockpile of records.

Indiana University law professor Nicolas Terry said it seemed at the time of the Hi-Tech law in 2009 that the government had struck a reasonable balance, creating incentives for encryption while stopping short of imposing a one-size-fits-all solution. Now he’s concerned that the compromise has been overtaken by events, as stated to the Associated Press: “In today’s environment, we should expect all healthcare providers to encrypt their data from end to end,” said Terry, who specializes in health information technology.

Others are also calling for the healthcare industry to strengthen their cyber defenses regardless of regulations, saying that it’s likely to be vulnerable targets because it has been slower to adopt measures like keeping personal information in separate databases that can be closed off in an attack. The healthcare industry “is generally less secure than financial service companies who have the same type of customer data,” said Avivah Litan, an analyst for Gartner who specializes in cyber security, according to the New York Times.

In addition in the wake of the Anthem breach, the Senate Health, Education, Labor and Pensions committee stated it’s planning to examine ways to strengthen encryption requirements as part of health information security.

We will continue to keep you updated on this important issue and increasingly emerging risk. Axis Insurance Services specializes in providing Cyber Liability insurance to medical facilities along with other critical management liability coverages. To find out more about our cyber insurance programs, please call us at (877) 787-5258.

Sources: New York Times, Associated Press

 

Comments

comments

Blogged on: February 11, 2015 by Mike Smith
Error Omissions
Error Omissions
Submit your information below so we can contact you with a FREE quote
[All fields are required.]
Actual Annual Revenue:
Verify:
=
I have read and agreed to theTerms & Conditions
Error Omissions
Error Omissions