The impact of the recent cyberattack on health insurance company Anthem is rippling through the industry--but health IT leaders and experts say they're not surprised it happened.
"It was only a matter of time until hackers found out that it's much easier to go after Social Security numbers and personally identifiable information with healthcare providers, which in comparison spend significantly less on security [than in other industries], making them tentatively easier targets," Martin Walter, senior director at network security firm RedSeal, tells CIO.com.
Personal information for roughly 80 million individuals was compromised after hackers broke into an Anthem database. Information including names, birthdays, addresses, email addresses, employment information and Social Security/member identification numbers was compromised.
Although this case was most likely caused by outside hackers, Joseph Smith, who retired from his post as CIO of Arkansas Blue Cross and Blue Shield last year, says that poor data habits from company employees are also cause for concern.
"It's always unintentional or innocent, but your biggest risk is your own employees," Smith tells Employee Benefit Advisor. "With Target, the hacker posed as a vendor, someone was duped innocently--and there you go."
Paul Christman, vice president of the public sector at Dell Software, says in a Becker's Hospital and CIO Review article that although huge data breaches steal headlines, healthcare systems will more often face insider threats. "The idea of the black hat hacker going after [a healthcare organization] is relatively rare. We just need to keep better track of the devices that we use," Christman says.
Healthcare leaders must play a bigger role in managing threats of all sizes--and roles for who is involved with internal security will evolve.
"It's really become a business issue," Christman says. "It's something that's now top of mind for not just the CISO or the CIO, but it's really inside the [C-suite] constellation."
Increasingly, chief information security officers are asked to address the board of directors about security threats and preparations without the chief information officer being present, which is "really changing the CISO role from a technical one--particularly at large organizations, but even small ones--to a leadership role and [one of] communication," George McCulloch, former deputy CIO at Vanderbilt University Medical Center and head of the new association, says in an interview with HealthcareInfoSecurity.
"No doubt there will be calls for the CISO and CIO's heads to roll, even though they may have been actively working hard to avoid just such an incident," Thom Langford, director of consulting firm Sapient's global security office, tells Net-Security.org.