Anthem Breach Shows Health Care Organizations’ Vulnerability
February 6, 2015 in News
A cyberattack against health insurer Anthem is serving as a reminder that large health care organizations are susceptible to hacking, according to cybersecurity experts, Modern Healthcare reports (Rubenfire/Conn, Modern Healthcare, 2/5).
Background on Anthem Data Breach
On Wednesday, Anthem announced that hackers had accessed a database containing the personal information of about 80 million of its customers, former customers and employees.
Anthem spokesperson Cindy Wakefield said that the company is “still investigating to determine how many were impacted” but that “[a]t this point we believe it was tens of millions.” The company said it did not yet know the source of the cyberattack (iHealthBeat, 2/5).
However, experts pointed to Anthem’s weak security system as the reason it was vulnerable to hacking. They noted that Anthem did not encrypt the consumer data it stored like it did for medical information that was shared outside of its database.
In addition, Anthem — like many other health care organizations — did not store personal data in separate databases that could be locked if an attack occurs, experts said (Abelson/Goldstein, New York Times, 2/5).
In response, HHS’ Office for Civil Rights is urging health care companies to encrypt as much data as they can. However, HIPAA does not require encryption when the data are stored, only when the data are shared (Yadron/Beck, Wall Street Journal, 2/5).
Potential Implications for Federal Health Data Systems
The news also prompted HHS’ OIG to launch an investigation into whether the personal data of Medicare and Medicaid beneficiaries were compromised as a result of the Anthem attack, the AP/Sacramento Bee reports.
According to the AP/Bee, Anthem offers:
- Medicaid managed care plans;
- Medicare Advantage plans; and
- Plans sold through the exchanges created under the Affordable Care Act.
HHS’ OIG is working with FBI on the case (Alonso-Zaldivar, AP/Sacramento Bee, 2/5).
Further, the attack on Anthem has sparked concern over whether consumer data shared with federal health care websites are protected, The Hill reports.
Senate Homeland Security and Governmental Affairs Committee Chair Ron Johnson (R-Wis.) said sites such as HealthCare.gov and Medicare.gov were “one of the first things [he] thought about” upon hearing about the Anthem breach. He added, “Certainly we need to make sure our own government websites and our cyber assets are secure.”
Senate Finance Chair Orrin Hatch (R-Utah) said that government IT developers “have not put in the fail-safe requirements or mechanisms that protect some of this data” and “[i]t’s a doggone disaster.”
Christopher Budd, a TrendMicro security expert, said health care organizations are no longer “standalone entities” but are “interconnected.” He explained that since Anthem sells plans through the federal and state exchanges, data flow among the sources, creating “roadways that attackers could be using” (Bennett , The Hill, 2/5).
However, CMS spokesperson Aaron Albright said that there is no evidence that the Anthem attack has compromised any data stored on HealthCare.gov or Medicare.gov and that CMS systems have not been breached. He said the department will “remain vigilant in responding to cybersecurity events” (Bennett , The Hill, 2/5).
Experts Say All Companies at Risk
CynergisTek Founder and health care security expert Mac McMillan said the attack “basically proves that it doesn’t matter how big you are or how much money you spend and how diligent you are at protecting your data, you can still have an incident,” adding, “Everybody could have a breach.”
Experts say the attack shows why organizations need stringent cybersecurity measures and skilled IT staff to protect consumers’ private data. In addition, organizations should have a multifaceted strategy for protecting against hackers, including:
- Access control measures;
- Antivirus tools;
- Employee training;
- Internal and external firewalls; and
- Phishing filters.
Further, companies should have cybersecurity insurance because attacks could still occur, as well as ways to quickly identify and respond to attacks. Organizations’ contracts with other companies that have access to consumer data should also detail how the contractor will protect that data and respond if an attack occurs.
According to Modern Healthcare, the attack could prompt many health care organizations to re-evaluate their IT security systems, which the groups typically have not spent much money developing, relative to other regulated industries (Modern Healthcare, 2/5).
Boston University health policy professor Alan Sager said, “The ability of health care companies to compile data has grown far faster than their ability to protect it,” adding, “For too many organizations it’s more about maximizing revenue, while protecting patient confidentiality ranks at the bottom” (Terhune, Los Angeles Times, 2/5).