Health care providers have been hot and cold with respect to protecting patient data of late, as many have made progressive moves to protect their systems and information, while others have lagged behind in this regard. Although retailers and others have had their own struggles, health care is likely the most at-risk sector given the much higher value of patient data on the black market than standard financial information.
Some of the more damaging breaches from the past few years have taken place in the medical industry and many of these events have been caused by lackluster security controls and strategies on behalf of the victimized firms. It is worth noting that there is simply no way to completely protect an organization from any chance of experiencing a breach, but this does not mean that firms can balk at investing more into defense and fortifications.
The objective of IT strategies in health care should be two-pronged - the first is to minimize the threat of data loss, and the second is to ensure that speedy identification of breaches is achievable. The most damaging events tend to be the ones that last for long periods of time without being detected. Simple controls such as monitoring solutions, secure cloud services, email encryption and the like can go a long way toward minimizing the potential for breach, and the damages that follow.
Another one down
CIO Magazine recently reported that the University of California at Los Angeles Health system has experienced a relatively large breach, with investigators estimating some 4.5 million individuals to be potentially impacted. As the event took place such a short time ago, this number has not been pinned down yet, which is also a sign that the health care provider's systems might not be quite as protected and consistently monitored as it should have been.
According to the news provider, as has been the case in many similar breaches this year, the firm's leaders know that the hackers did break into systems containing sensitive patient data, but are not sure if any was actually stolen. What's more, the source noted that the event is believed to have taken place in October 2014, and the Federal Bureau of Investigation has been assisting UCLA Health in its endeavor to reconcile the matter.
Another trend reflected in this story relates to the response. CIO Magazine pointed out that UCLA Health is now offering customers free fraud prevention solutions and protection in the wake of the event's disclosure, and many other affected organizations have taken a similar approach to handling the aftermath.
Anthem's next move
Blue Cross Blue Shield was breached this year as well, and Modern Healthcare recently reported that the health system is now offering monitoring and identity security services to ease the concerns of its more than 100 million-strong client pool. Now, while this is not the worst way to go about weathering the storm of a breach, it is certainly not ideal.
Studies from earlier this year indicated that some executives in certain industries had run cost assessments on breaches and security solutions, believing that simply dealing with an event should it occur would be more financially sound. This is somewhat of a strange belief, as the direct and indirect costs of reconciling a breach that has occurred are massive, and transcend simple financial matters into the realm of brand reputation management and public trust.
Health care providers must begin to become a bit more aggressive in their security endeavors, or run the risk of being the next big victim of a breach.