What the Anthem breach means for healthcare organizations

The cyber attack on Anthem BlueCross BlueShield is being called the largest data breach ever in the healthcare industry, and a warning of things to come as criminal gangs and even nation states take aim at valuable health data stored by insurers, hospitals, doctors’ offices and others.

Even though medical records and credit card details weren’t stolen in the Anthem breach, experts say medical identity theft is on the rise because the type of data stored by healthcare organizations is of great value for crooks. Records like Social Security numbers can be used for many types of fraud and can’t be changed easily – while a credit card can be canceled, a patient whose Social Security number is stolen could be haunted by identity theft for a very long time.

What happened in the Anthem breach is still being worked out by investigators, but the implications are clear – healthcare organizations are now in the cybercriminals’ sites, and the consequences are significant for their customers, and for those organizations’ reputations and regulatory compliance.

In the U.S., the sharing of healthcare information is regulated under the Healthcare Information Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Under the HIPAA law, organizations need to disclose breaches to affected customers, major media outlets, and regulators in order to remain compliant. And they’re required to have a comprehensive data protection policy in place.

The FBI warned healthcare companies last year that the healthcare sector is far behind other industries in terms of cybersecurity and data protection. With the threat growing and compliance costs looming, healthcare organizations are wisely looking to invest in better security.

What can healthcare organizations do?

Data loss prevention requires security on multiple levels, from protecting the data itself to the devices where it is stored and the people who access it.

Data encryption is essential for keeping the data secure as it moves from one place to another.

A complete data protection solution should also ensure the protection of your users’ credentials. The weakest point of any system is always the user, so your security solution needs to enforce a strong password policy; and it should allow you to lock down access for an end user who suspects their identity has been compromised.

Users, and even administrators, don’t need access to all of an organization’s files, but many have it as part of their role, making them targets. An encryption solution can fix that with a separation of duties and roles. That way even if a user’s credentials are compromised, the hacker has no way to get access to files that were encrypted with keys they do not have access to.

Learn more about how to stay HIPAA healthy

Don’t become tomorrow’s headline. Join Sophos for a free webcast explaining how healthcare organizations can secure data and maintain compliance.