A cyberattack by an unknown entity compromised critical Anthem BlueCross data in the latest cybersecurity incident to hit the headlines. ZDNet reported that the attack was carried out by hackers who used stolen passwords to infiltrate Anthem's database and steal personal information pertaining to old and new clients and employees.
The security of electronic documents related to the healthcare industry has been a huge concern. HIPAA compliance is regarded as a top priority for health organizations, as the legislation lists procedures and regulations for companies using electronic health records to keep the data from being stolen.
ZDNet reported that the data stolen were Social Security numbers, dates of birth, email addresses and physical addresses, although it did not include medical data or financial information. The source mentioned that the Social Security numbers in the database were unprotected, despite the fact that such high-risk information is typically encrypted.
Healthcare organizations often do not see security as a top priority, which leads to situations like Anthem's. This lack of security is most likely due to the belief that hackers are focused on other industries, but unfortunately, this is no longer the case.
"As banks spend more on IT security, they naturally become more difficult targets for hackers," John Gunn, vice president of communications for VASCO Data Security International, told Dark Reading. "As banks become more secure, alternative targets such as healthcare and insurance providers become much more attractive targets for hackers."
Making it more difficult for hackers
Dark Reading added that even companies that do make security a priority do not use enough resources to deter hackers. The criminals are still capable of finding holes in these firms' systems to launch large attacks, all because healthcare companies have predictable ways of working with one another.
For example, insurance agencies have a complex network of clients and companies. While an agency itself is likely to have a good security program, the companies involved with it are less so. Hackers have the ability to get to the smaller, weaker companies through the insurance agency.
"Given the tangled web of connections among healthcare service organizations, payment, and insurance providers, it's not hard to see how a simple configuration oversight can lead to a major data breach and HIPAA violation," Ivan Shefrin, vice president of security solutions for TaaSera, told Dark Reading.
Organizations need to update their cybersecurity programs and find better ways to protect patient information in order to achieve and maintain HIPAA compliance. Email encryption and compliant email are ways to protect data when communicating with clients and colleagues.