Health Care Breaches Expected to Rise in 2015

I’m reporting a lot on the Anthem breach lately (isn’t everyone?), but it’s for good reason, as it’s just the latest flare-up that apparently has experts already diagnosing 2015 as the year in which we will see a huge spike in data breaches of health care organizations (last year the spotlight being on retailers).  Whether or not this turns out to be truly prophetic, it seems in these few short months that this prediction is already being borne out. 

Not just Anthem, so far, but last month, Premera Blue Cross revealed that it, too, had been the victim of a cyberattack that may have exposed medical and financial data of 11 million customers, including banking account numbers, SSNs, and clinical information.  Oregon-based Advantage Dental also had to notify about 150,000 patients of a recent data breach, while last year (not 2015, I know), hospital operator Community Health Systems also disclosed they had suffered a breach that affected 4.5 million patients.  Of course, neither of those incidents involved actual medical records, which were accessed in the Premera attack, and which fetch a pretty penny on the black market due to their use in insurance fraud schemes.

Anyway, I don’t want to get too bogged down in that; the point is that this is an issue that health care organizations, like everyone else, are going to need to face.  Particularly with the widespread implementation of electronic medical records (EMRs).  According to Accuvant vice president of information risk management, James Christiansen, cited EMRs as just one of the vulnerabilities threatening the “healthcare ecosystem,” due to their ease of access and the fact that their value can be ten times that of stolen credit card information.  The full article is over at Healthline and is well worth a read, and explains several other factors increasing the threat to health care organizations.  Outdated security software is another, and, crucially, so is the fact that many organizations don’t have the necessary protections in place to defend against attacks, prioritizing (reasonably) actual patient health.

Some of these problems have quickly apparent solutions.  Updated systems, software and encryption, for instance, is pretty clear cut.  Others require more effort and, as I’ve said before, perpetual attention.  Meeting the minimum compliance requirements isn’t enough.  Employee awareness training is also needed, especially with phishing scams being something employees still regularly fall for; risk analysis regarding weaknesses in the network, access points, etc., and also for spending; incident response measures; and so on.  Important steps that cannot be stressed enough.

Otherwise, in 2015, wildfires will rage across this ecosystem as well.

By: Jonathan Weicher