Being rich in information, the healthcare industry has become one of the most vulnerable industries. It is being targeted by cyber-criminals as it contains information ranging from an individuals’ personal information credit information to protected health information (PHI) – all in one place. It translates into a high return when such data is viewed in monetized aspect.
Industry needs checks in place, HIPAA has institutionalized such checks specific to the healthcare industry and to protect patients against loss, theft or disclosure of their sensitive medical information. In June 2005 the U.S. Department of Justice (DOJ) clarified who can be held criminally liable in Healthcare related breaches. As per legislation, entities and specified individuals within the healthcare industry, who “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
Despite the checks, guidelines and legislation in place, cybercriminals find a way to breach. Every shortcoming comes with a lesson.
Listed below are the top 5 health care breaches, and what the industry can learn from them:
- Anthem
Anthem, the second-largest health insurer in the USA, was a victim of a massive data breach with over 80 million affected Individuals. The case pointed out that timely disclosure of data breaches is usually in the best interest of both the organization and affected parties. Being transparent helps in better crisis management, and in planning to move quickly and decisively while managing relations with customers and stakeholders. Anthem discovered the attack on January 29, 2015 when a system administrator noticed a suspicious database query. Anthem choose to promptly notify law enforcement and the public about the breach. It also extended credit monitoring services to the affected. - Premera Blue Cross
Premera Blue Cross, a non-profit licensed health insurance company breach was reported on January 29, 2015. The learning for business from this breach is to make more efforts to implement top-of-the-line cyber security measures that exceed the industry standard. Premera did not have the security systems in place to discover the breach until the breach was reported. The breach affected 11 million individuals including customers, employees and business affiliates. A class-action lawsuit was undertaken and credit monitoring was made available to protect victims in the future. - Excellus Health Plan
Excellus Health Plan reported a cyberattack On August 5, 2015 affecting 10 million records. The takeaway for industry is that it is imperative for the healthcare sector take preventive and proactive measures to bolster security processes, systems and measures in safeguarding its digital assets. Stay vigilant and bring in experts to review system on a regular basis. It took Excellus 19 months to discover the breach. The delay in discovering the breach has been a concern as per IT security experts and this should encourage other healthcare companies to take a close look at how they are handling their cybersecurity measures – both prevention and detection. - Protected health information
Protected health information of nearly 4.5 million people were compromised at UCLA Health when hackers launched a cyber-attack on the health system’s network. It signalled the need to attain prompt breach notifications by putting more thought, investment, training, technology and staff into IT/Cyber security and especially security risk analysis and the need for staff to brush up anti-phishing skills. To compensate UCLA Health offered all potentially affected individuals 12 months of identity theft recovery & restoration services, additional health care identity protection tools and credit monitoring. - Medical Informatics Engineering
Medical Informatics Engineering faced a breach in which 3.9 million individuals were affected. The company detected the cyber-attack after 19 days of the effect. This beach put into perspective that Healthcare organizations should take the preventative measures necessary to avoid more breaches in the future, like increased active monitoring of the affected systems. Remedial efforts were undertaken, including removing the capabilities used by the intruder to gain unauthorized access into the affected systems, enhancing & strengthening passwords, rules and storage mechanisms, increased active monitoring of the affected systems and intelligence exchange with law enforcement.
IDC’s Health Insights group predicts that 1 in 3 health care recipients will be the victim of a health care data breach in 2016. Healthcare providers (including insurance providers) must encrypt personal information. Use of identity management system will be beneficiary that deals with the carriers and handles PHI. It is time healthcare sector to take proactive steps in battling cyber-crime, and the least they can do is bring in technology that discourages breaches.
