"Healthcare orgs oh how we love you so, with your data so un secured no wonder we give it a go. SSNs, birthdays and addresses information galore, we can’t wait until next year when we steal some more.”
This is the song that healthcare data thieves must be singing every time they gain entry into the database of healthcare organizations across the globe. This week we learned of the giant Anthem breach that may have affected over 80 million customers and what may be the largest healthcare breach in history. For those of you who aren’t familiar with Anthem, they are the second largest insurance provider in the USA. Ironic how an insurer tasked with protecting their customer’s health and wellness couldn’t secure their data. The information stolen? SSNs, employee names, birthdays, addresses, email addresses and employment information.
The breach was discovered on Jan 27th and began on Dec 10th. The breach was the result of cyber criminals gaining access (no one is sure as to how exactly but guessing lost mobile devices of phishing attack) to an un-encrypted database that allowed them to then exfiltrate data. Now, to give Anthem some credit, 6 weeks actually isn’t too terrible given the fact that the average breach today lasts for about 229 days! But the failure to encrypt sensitive data stored at rest in their database is certainly an epic fail. By now, encryption or at least solid plans to begin encrypting should be a best practice for any company holding sensitive data.
“You essentially have the keys to the kingdom to commit any type of identity theft,” – Paul Stephens, director of policy and advocacy at Private Rights Clearinghouse San Diego, CA
Although no medical information and credit card data was stolen, the information obtained is still more than enough for cyber criminals to cash in on (think about all of the use cases for SSNs alone). Employer information was also stolen so who knows what the residual affects will be for the employers as well. They themselves may find themselves at risk of hackers using employee credentials to gain access to protected databases. And just so you know, this wasn’t the first time that Anthem has caught some heat. Back in 2013 they were asked to pay a fine of $1.7 million bucks to resolve the exposure of PHI data from over 614,000 people online due to weak security.
5 Tips for Improving Healthcare Security From Bitglass
It’s quite simple actually. Healthcare organizations must first see security as an urgent matter and realize that customer trust is not given, but is a privilege. Unfortunately breaches like Anthem serve as a reminder of the lack of data security in healthcare organizations. In addition to database encryption, here are 5 tips we have devised for securing data within healthcare institutions:
- Establish comprehensive IT visibility and control over all data transactions
- Control the flow of all information
- Track and protect sensitive data anywhere it travels to
- Deploy a Single Sign-On solution for increased password security
- Make sure the security solution is easy to deploy and easy to use
We hope the victims of the Anthem breach are unaffected and hope that healthcare organizations take action before it’s too late for them.
To learn more about securing healthcare data visit our healthcare security page.
Product Marketing Manager at Bitglass