The data breach at Anthem holds important lessons for risk managers, say four cyber security experts consulted by Healthcare Risk Management.
The Anthem breach and other recent incidents demonstrate that “compliance does not equal security,” says Ulf Mattsson, chief technology officer at Protegrity, a Stamford, CT-based provider of enterprise data security software and services. “We strongly urge healthcare organizations to not only follow regulatory security rules, but to go beyond them, as they are just a baseline or minimum of acceptable security.”
The sophistication of attacks continues to grow, says Steve Hultquist, chief evangelist at RedSeal, a security analytics company in Sunnyvale, CA. Attackers are using increasingly powerful automation to probe for and attack weaknesses through the network of connected systems. “Ensuring that the dizzying complexity of modern networked systems reflects the intended security architecture and plan is impossible without defensive automation that both protects and analyzes those defenses,” Hultquist says. “Without daily analysis, organizations are left hoping that their systems are operating as they intend, and we’re learning that any such hopes are in vain.”
The information stolen from Anthem includes key pieces of data that can be used to access someone’s financial records or steal a person’s identity, notes Eric Chiu, president and co-founder of HyTrust, the cloud control company in Mountain View, CA. “These type of attacks are often extensive in terms of the amount of information bad guys are able to pilfer, because they typically happen from the inside using system administrator or employee credentials,” he says. “Organizations need to make security a top priority and think of it as part of doing business. Otherwise, we will continue to see these breaches happen, and consumers will continue to suffer because of them.”
Martin Walter, senior director at RedSeal, agrees that a breach of a healthcare organization’s records could be worse than a typical company having credit card numbers stolen by hackers. Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10 times more on the black market, he explains.
“The interesting thing here is comparing the value of this information to the spending on security in the healthcare sector, which is disproportional. Credit card information in retail tends to be better protected than personally identifiable information and Social Security numbers in healthcare, even though it’s less valuable in terms of selling price,” Walter says. “It was only a matter of time until hackers found out that it’s much easier to go after Social Security numbers and personally identifiable information with healthcare providers, which in comparison spend significantly less on security, making them tentatively easier targets.”
• Eric Chiu, President & Co-founder, HyTrust, Mountain View, CA. Telephone: (408) 776-1400.
• Steve Hultquist, Chief Evangelist, RedSeal, Sunnyvale, CA. Telephone: (408) 776-1400.
• Ulf Mattsson, Chief Technology Officer, Protegrity, Stamford, CT. Telephone: (203) 326-7200.