Anthem Inc hack; why healthcare insurers need to raise their bar on cyber security

It’s been known for some time that healthcare information is a target for hackers, also that the motivation for these thefts has diversified. Such data is now used not only for identity theft but is believed to be targeted by countries such as China for political purposes, such as identifying spy targets.

The huge theft from Anthem Inc announced this week, who are the second-largest health insurer in the US, is estimated to be 80 million records, the largest theft of healthcare data yet. The attack also affected their subsidiary companies such as Amerigroup, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The largest previously known hacker theft from a healthcare company was last year’s intrusion at hospital operator Community Health Systems Inc., which involved records of 4.5 million consumers. While the exact method of attack has not yet been made public, the security firm investigating have described the attack as advanced and customised to the target.

In a letter sent to all customers President and CEO Joseph Swedish acknowledged the breach Anthem Blue Cross Blue Shield was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data. Based on what we know now, there is no evidence that credit card or medical information (such as claims, test results or diagnostic codes) were targeted or compromised.’

The early acknowledgement of the breach is interesting in itself; currently they are only legally required to inform customers 60 days after the attack. However, in his recent State of the Union address President Obama alluded to his recent proposals to decrease the time within which companies are required to inform customers, which may have been a factor in the early announcement. Although one might speculate that it’s also a good Public Relations strategy to maintain transparency and reassure the company’s huge customer base.

What perhaps ought to be scrutinised in light of this large breach, and in the continuing trend of targeting healthcare data, is how effective the HIPAA regulations are in protecting this information. In their current form, they are far less detailed than their retail counterpart PCI DSS (Payment Card Industry Data Security Standards). Details of the relevant HIPAA requirements can be found in our HIPAA compliance white paper. So perhaps HIPAA ought to be revisited? Or perhaps we need to question whether compliance regulations can really be of benefit in the current cyber security climate? An organisation might well comply with regulations, but what’s really required is maximum investment in security, both in tools to locate any weaknesses and vulnerabilities and in trained professionals to test the security measures in place.

Regardless the next step for healthcare information security, what’s clear from this Anthem inc hack and the new trend in attacks is that the focus has now shifted from financial data, likely due to increased security measures by banks. Instead, personal details alone are a target and can be used in the growing crime of identity theft. No doubt pressure will now come from multiple sources for healthcare providers and insurers to toughen up on cyber security, which in this growing field of risk can only be a positive outcome.

Share this post
  • ” An organisation might well comply with regulations, but what’s really required is maximum investment in security, both in tools to locate any weaknesses and vulnerabilities and in trained professionals to test the security measures in place.”

    You could very easily be in compliance and meet all the requirements and still not be totally secure. Compliance should be seen as a minimum level of anything, but healthcare companies need to go above and beyond.

  • Leave a Reply

    Your email address will not be published.