What the Anthem Breach Means To Healthcare ProvidersWednesday, February 18, 2015
Since Anthem announced that it experienced a record-setting data breach, reactions to the news have ranged from panic to apathy. As providers who likely exchange information with Anthem in the course of business, you are probably thinking about how this breach changes the IT security landscape for your organization. If you're not, please do. Once you are, consider the following.
You may be taking comfort in statements made by Anthem officials that they do not believe that any health-related data was breached. Don't. These statements are in no way guarantees. Even if these statements were proven true tomorrow, the breach is extremely costly for Anthem now and will be for years to come - just as a breach would be for your organization. Even if hackers view your organization as an access point for information that allows them to steal an identity rather than a treasure trove of health data, your organization remains a target. While risk assessments and other compliance requirements under the HIPAA Security Rule are a good start toward responsible IT security in healthcare environments, they are only the beginning.
As a healthcare organization, you also should:
- be aware of events in your cyber ecosystem;
Pay attention to what is happening in the cyber security environment, especially to organizations like yours and organizations that interact with yours. Learn from their experiences. In the case of this breach specifically, take time to visit https://www.anthemfacts.com; understand what actions Anthem is taking in response to this breach; and decide which responses might fit your organization in case you find yourself in a similar situation. Understanding Anthem's response also will help you to properly inform your customers and stakeholders, who will certainly have questions.
- make sure your organization is compliant with regulations other than HIPAA that may apply (PCI jumps to mind), and that you are regularly reviewing your IT security posture in the context of those regulations;
- implement the controls designated as "Optional" in the HIPAA rules;
View these controls as guidelines for next steps to improving your security and privacy posture. If that's not convincing enough, those items that are optional now are the most likely to be required the next time the standards are made more rigorous.
- be paranoid; and
IT security guru Bruce Schneier has often said that you have to be a little bit paranoid to be effective in IT security. So, put yourselves in the shoes of a potential attacker. Think critically about your IT environment. Doing so will absolutely improve your security posture.
- continue to invest in IT security.
If Anthem's breach results in additional funding for that purpose, then great. Regardless of funding, set aside time every day to focus on security. Look at security models from other industries. Join IT security-related organizations. Take a look through the lens of security at a little used service or node on your network. Like exercise, any time you can spend on the security of your IT environment is better than spending no time on it.
George Bailey, MS, CISSP, GCIH, CHP, is an information technology security professional with more than 17 years of experience in network security, remote access, wireless security and incident response. Bailey serves as Senior Advisor – Security Services at Purdue Healthcare Advisors, where he oversees and implements security solutions for the healthcare industry.
Writer: George Bailey, 765-494-7538, firstname.lastname@example.org
Tags: Health IT Security