By now, you know the gory details: Hackers gained access to personal data for 80 million Anthem customers. You know the response, too: "Why wasn't the data encrypted? The data should have been encrypted!" (Partial credit if you said, "It wasn't a matter of if, but when.")
Yes, encryption would have ensured that the information looked like gobbledygook and not names, birthdays Social Security numbers and the like. But a deadbolt on the front door does no good if the windows are wide open and the back door is unlocked. A deadbolt is useless if you invite the robber in and offer him a cup of tea. A deadbolt doesn't matter if you store your valuables in an unlocked shed in the front yard.
Payers are particularly vulnerable to data breaches, given the value of the sensitive information they possess. (Medical data is worth much more on the black market than a Social Security number.)
They don't have to be.
In an email, Shaun Greene, chief operating officer of Salt Lake City-based Arches Health Plan and a member of the FierceHealthPayer Advisory Board, offered up eight best practices for protecting against potential hackers at what he calls a "sobering" time for the industry.
- Engage your board of directors with the chief information security officer. This helps the board understand the evolving threat landscape.
- Use as many layers of protection as you can. Yes, this means encryption--of data at rest and of backups, down to the column level in databases, and not just data in motion--as well as Web application firewalls, intrusion prevention and detection systems, and physical and logical access controls, to name a few. (You wouldn't go outside in Boston's latest blizzard in a T-shirt, would you? You need layers.)
- Make penetration and application vulnerability testing an ongoing priority. You can do this by incorporating these processes into operational analysis. "Board members and executives must know where failures exist and address the findings," Green said.
- Hire third parties to conduct your HIPAA risk assessment. That way, you avoid internal posturing and receive objective feedback.
- Don't use the cloud to store data from applications that require strict security standards. Store this data on company-owned storage.
- Follow Open Web Application Security Project (OWASP) standards if you develop applications. As its name implies, OWASP aims to make software security open and visible so that consumers, developers and other key stakeholders understand security risks and make informed decisions about what and what not to do.
- Train your employees. This is admittedly difficult, but it's essential. "We must make sure all employees understand that they are a favored vector of attack from the world's cyber criminals via email," Greene said. Make sure employees know the basics--don't open attachments from anyone they don't know, don't say anything in an email that you wouldn't want to read on the front page of the newspaper, and so on--and provide training as often as you can.
- "Create a culture of security to demonstrate the company's commitment to data security," Greene concluded. "Employees are smart. If they see senior-level executives not taking this seriously, neither will they."
It's a scary world out there. With a bit of training, a willingness to accept responsibility and a heightened level of awareness, we can keep the robbers away from the front door, the windows, the shed, our tea and, above all, the information they so dearly want in the first place. --Brian (@Brian_Eastwood and @HealthPayer)
Lawmakers to rethink requiring encryption in HIPAA
Security experts on Anthem breach: The biggest threat lurks inside your company
Details emerge in Anthem hack
Anthem hack compromises info for 80 million customers
Employees could leave health systems vulnerable to hacks
3 emerging threats to healthcare privacy and security
Cyberattacks highlight changing dynamics between CIOs, CISOs