Ten million – that’s the latest staggering number of victims in the cyber hacking world’s rush to steal protected health information (PHI). Excellus BlueCross BlueShield estimates 10 million members and individuals have been affected by an attack that may have gained unauthorized access to names and addresses, dates of birth, social security numbers, financial, and health claim information. Excellus is now contacting those victims with promises to provide free credit monitoring and identity theft protection. What are the lessons of yet another massive cyber breach in the health sector? Here are three:
1. Consider the widespread damage of a cyber breach
There are immediate and long-term costs to both the individuals whose information was compromised, and to the companies that care for their health needs. For individuals, the wealth of stolen data dramatically increases the possibility that a cybercriminal can assume their identity to open new lines of credit, make fraudulent purchases or medical claims, and empty bank accounts.
As Secure Halo explained at the 11th Annual Medical Liability Insurance ExecuSummit in Connecticut on 16 September, cyber attacks and data breaches are impacting health care organizations, large and small. There are immediate and significant costs associated with incident resolution and reputation harm and also the longer-range costs such as decreased customer trust and the potential loss of revenue that such events bring.
Additionally, and as covered entities and their business associates are undoubtedly aware, there is the potential for regulatory penalties levied by the U.S. Department of Health and Human Services for failing to meet HIPAA Privacy and Security Rules. It all adds up to considerable losses. The Ponemon Institute’s 2015 Global Cost of Data Breach study found the healthcare industry has the highest cost per stolen record – at $363 – more than double that of other industry averages.
2. Understand why the medical industry is at particular risk
Excellus is just the latest in a growing list of health insurers like Anthem and CareFirst to be hacked. What is the lure of the healthcare industry to cybercriminals?
- The value of the information stored in healthcare organization databases: personally identifiable information (PII), personal medical history, diagnosis codes, billing and payment card information. It can all be sold on the black market, with fraudulent claims and charges through identity theft not being noticed for months or years.
- The limitations of a compliance-based approach to enterprise security: Savvy cybercriminals and other nefarious actors understand the difference between security and CYA. They know most organizations implement security as a ‘check-the-box’ exercise as a means to pass an annual audit and are not interested in maturing their security beyond the standard. This is an unfortunate reality that must change.
3. Create a holistic and proactive understanding of enterprise threat posture
With attacks in the medical industry happening at a growing rate, the time is now to put a risk-based and relevant risk management program in place.
- While you may start with legacy technical controls and other traditional IT deployments, it’s crucial to remember the multitude of non-technical ways in which cyber risk can be introduced into an enterprise environment. Faceless remote access attacks originating in foreign countries are not the only threat. What about an unencrypted laptop that is stolen, or a disgruntled employee, or gaps in physical security? The Secure Halo risk assessment methodology incorporates standards from best-in-class compliance audits like HIPAA, but exceeds them with a unique approach mapping to over 10 international and national standards. This is combined with expertise obtained from service in the U.S. national security community to provide a complete or holistic view of enterprise risk.
- To meet your HIPAA Security Rule obligation requiring all covered entities and business associates, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI. An assessment approach such as our Threat Vector Manager methodology can help.
It is no secret by now that diversified cyber threats are impacting all organizations, and covered entities and their business associate colleagues in particular. Maturing beyond the standard to a more holistic risk management approach will ultimately lead to a healthier risk posture.