Why health insurers are an enticing hack target [Q&A]

In the wake of the recent Premera data breach, in which information for roughly 11 million consumers was compromised, legal and financial fallout looms large both from the company's perspective and a consumer perspective, according to Ken Dort, a partner at national law firm Drinker Biddle & Reath's intellectual property practice group.

"Particularly given the breadth of the information that was the issue with Premera, you may be seeing big class action lawsuits," Dort recently told FierceHealthIT. "We could see some kind of general protection comparable to what the Sony plaintiffs have asked for. Their allegations particularly stated that two years worth of credit monitoring weren't enough and that this could go on for years and years."

Dort, in an exclusive interview with FierceHealthIT, talks about why payers have become such an appealing target for hackers and what steps healthcare organizations can take going forward to mitigate the damage caused in similar attacks.

FierceHealthIT: How imperative is it that cybersecurity be a top tier priority for payers, providers and other healthcare organizations?

Ken Dort: This is something that should be at the top end of any C-suite or board of directors' list of considerations. This is something that, given the sensitivity of the data, it should be a top flight effort. While the Anthem and Premera breaches certainly shed light on the situation and should be otherwise pressuring companies to escalate their efforts, those entities should have been focusing on security already.

FHIT: What do you think makes payers, in particular, such an appealing target for hackers?

Dort: In the grand scheme of cybersecurity, the original early targets were the finance companies; the banks. Those companies got ahead of the curve a long time ago, and it's now very difficult to breach any of those entities.

What's next on the hierarchy? Those entities that have medical records. While those aren't as directly remunerative as financial records, where you can actually go in and take money directly, medical files are very valuable on the black market for their ability to enable fraud on the insurance companies. That's why, I think over the last few years, you're seeing a lot more of this nature of breach as compared to financial situations.

As a result, these entities should have been escalating their efforts. The real question now is, what exactly were Anthem and Premera doing? In the case of the former, hackers were able to penetrate 78 million files, which is onerous. Premera, while the penetration wasn't as deep, it was qualitatively much wider in terms of not only contact information, but also Social Security numbers, bank account numbers, as well as actual medical information.

FHIT: What steps can Premera take to remedy the situation?

Dort: From a proactive position, until they know how the penetration occurred, it's difficult to say they should be doing A, B and C. Still, Anthem, on the heels of the breach without knowing the specifics, implemented a lot of top-level protocol implementation such as changing all passwords, changing all access, validation protocols and limiting even authorized access to only two hours at a time; so even if you were supposed to be in their system, your access would automatically time out at two hours.

Those kinds of high-level things Premera likely could do, as well.

FHIT: What kind of fallout could be expected both from a legal and a financial standpoint?

Dort: Obviously if we're talking about bank account information, we could be looking at actual financial theft, in which case the particular financial institutions will likely make their customers whole and then turn to Premera, just like the credit card companies are turning to Target, Home Depot, etc. to make themselves whole following those breaches.

Also, you'll be looking at potential identity theft problems going forward. Particularly in this case, if detailed medical files were involved, you might be seeing payment fraud against the other insurance companies; they may be coming after Premera.

The one thing that always will make a specific case difficult is trying to show that a particular plaintiff's problems can be attributed to a particular breach. You never catch the bad guys where they can exactly lay out what they did with the information. As time passes, it becomes more and more difficult to establish that there is a connection between one breach and a given set of bad facts.

FHIT: Do you foresee more organizations jumping on the cybersecurity bandwagon as a reaction to what has happened in the last eight months?

Dort: All of the clients and the companies with which I'm familiar, I don't think they'll do anything more than what they've already been doing. They've kind of been at DEFCON 5 for a while. I think when these events happen, they become somewhat more sensitized to the situation that they find themselves in. But I don't think, at least at the higher levels of the American business communities, this is causing them to be any more diligent.

Editor's Note: This interview has been condensed for clarity and content.