In a few weeks, security experts from across the US healthcare industry will meet in Atlanta, GA to address the growing cyber threat to their organizations. The meeting is well timed as recent attacks on major healthcare providers, such as Anthem and Premera Blue Cross, reveal alarming weaknesses in the industry’s information security posture. These shortfalls necessitate renewed investment in data and network security, better threat information sharing among industry actors, and closer cooperation between the healthcare industry and government agencies.
A strong information security posture is critical for a number of reasons. Most notably, medical information is a uniquely sensitive form of data. Affected parties can easily hit the reset switch on their information when hackers obtain credit card numbers, online account credentials, or other common customer data. But when attackers steal individually identifiable health information—such as medical histories, insurance policy numbers, or biometric data—it can be difficult or impossible to change. These attacks can be devastating and expose customers to a future of identity vulnerability. The reputational damage that stems from this type of privacy breach is another reason the healthcare industry needs to implement robust information security practices. If a provider appears inept at securing customer data, then both current and prospective customers will be far less inclined to trust that organization with their health.
The financial costs of these breaches are also great. Experts have anticipated that future data breaches could cost the healthcare industry upwards of $5 billion per year. Beyond the immediate costs of incident response, customer notification, identity-theft repair, and regulatory fines—which can total hundreds of millions of dollars depending upon the extent of the breach—affected organizations are also likely to face class-action lawsuits that can drain resources far into the future.
Hackers’ incentive to steal is strong and shows no sign of abating anytime soon. On the black market, health insurance data fetches anywhere from 10 to 20 times the price of more basic information, such as credit card data. With the right combination of personally identifiable information (PII), impersonators can acquire prescriptions for controlled substances or advanced medical equipment, which can then be re-sold for a hefty profit. Health insurance data can be even more valuable when used for fraudulent purposes, such as when impersonators file false claims with insurers.
Recent data reveal that the healthcare industry accounts for 43 percent of all data breaches involving PII—a number that is likely to increase as the nature of the information security threat continues to evolve. One of the factors driving this increase is the growing popularity of wearable technology, which has expanded the number of access points for hackers. With millions of new wearables flooding the market each year, opportunities for stealing PII will grow substantially.
Despite the expanding nature of the cyber threat to the healthcare industry, there are a number of solutions available to protect the industry and its customers alike. The attack on Anthem illustrated that the trade-off between encrypting sensitive data and leaving it unencrypted for ease of use can have dire consequences. The case also demonstrated the need for stricter access controls for sensitive files. When combined with file encryption, continually updated access lists would go far to mitigate information security risk.
Collaboration with industry actors through associations like the Health Information Trust Alliance (HITRUST) and the National Health Information Sharing & Analysis Center (NH-ISAC) is also critical to preventing similar attacks from spreading to other organizations. Finally, cooperating with the US government through initiatives like the Critical Infrastructure Cyber Community Voluntary Program and threat exercises like CyberRX will go far in boosting cyber resilience. Ultimately, the effectiveness of cooperation initiatives with government agencies and other industry actors rests on the willingness of organizations to invest heavily in information security and demonstrate transparency when attacks do occur.