The cyber-attack on Anthem, the nation’s second-largest health insurer, directly reflects the vulnerability of healthcare organizations, which are years behind other industries in regards to protecting personal information. In today’s healthcare industry, the federal government encourages sharing information across the continuum, which is critical to improving patient care. The challenge is the balancing act between protecting personal information and making it useful – the health information exchange teeter-totter. Current federal privacy regulations and the industry standard call for encrypting information that is sent from the database; however, on-premise data commonly remains unencrypted, making it vulnerable to an attack.
Anthem followed industry standards and encrypted the medical information that was shared outside of their database, but because they failed to secure their on-premise data, hackers gained access to up to 80 million records that include social security numbers, birthdays, addresses, email, employment information and income data for customers and employees. Scrambling personal data makes it less valuable to hackers, but also makes it more difficult for healthcare employees to track trends and share data with other healthcare providers and states.
Other industries such as the financial services industry keep personal information in separate databases that can be closed off in an attack. Avivah Litan, an analyst for Gartner who specializes in cyber-security, said healthcare organizations “are generally less secure than financial service companies who have the same type of customer data.” For example, the attack on JPMorgan Chase last summer compromised the personal information of over 80 million households and small businesses, but the breach was limited to non-financial information because the more sensitive information was walled off, which meant hackers could not penetrate it.
Unfortunately, in healthcare the question isn’t whether the next data breach will occur but rather when will it occur. Balancing out the health information exchange teeter-totter will continue to be a challenge for the healthcare industry. The criminal value of the information that healthcare organizations store combined with the slow adoption of security measures make healthcare organizations prime targets for hackers.