In light of the recent Anthem and Premera cyberattacks--in which hackers stole personal information of millions of members--one thing, among many others, is clear: The healthcare industry as a whole needs more sophisticated tools to better understand the threat landscape.
"We need to have clearer sources of actionable threat data so we can detect the threat and understand the motivation behind why people are coming after certain types of data," Lisa Gallagher, vice president of technology solutions at HIMSS, told FierceHealthPayer in an interview.
This requires a focus on the bigger picture. It's easy to talk about data security on an individual organization's level, Gallagher said, but it needs to carry outside an organization's four walls and across the board.
"As an industry, all organizations--payers, providers, everyone--need to get to the next level of sophistication with regards to security risk management. There needs to be different compliance and periodic risk assessment requirements moving forward," she noted.
Take precautionary measures
Payers specifically can use the Anthem and Premera attacks as stepping stones when determining how to take precautionary measures to fight such attacks.
Communication is key. It's important to have the right staff and resources in place that allow for a clear, streamline of conversation. Gallagher used Anthem as a good example of this approach. The insurer reached out to potentially hacked members and let them know that another attack may be on the way. They told their members to not click on fishy emails or links, and to tell Anthem if they received any communications that were out of the ordinary, .
"This was very proactive on Anthem's end," Gallagher mentioned. "This was able to help members understand next steps and also help members feel more connected to their insurer. Ultimately, people want to feel safe."
While communicating to members early on is crucial, so is internal engagement. To thwart potential hackers, payers need to train their employees to understand that they are a favored vector of attack. Make sure they know the basics and, of course, provide training as often as possible, Shaun Greene, chief operating officer of Salt Lake City-based Arches Health Plan and a member of the FierceHealthPayer Advisory Board, previously told FierceHealthPayer.
Build trust, manage risk
But building a trusting relationship takes time. To do this, payers should take advantage of technology to both protect their members and promote innovation, Jim Routh, chief information security officer of Aetna, said during a panel discussion at AHIP's National Health Policy Conference in the District of Columbia earlier this month.
"We need to realize where we are in terms of cybersecurity and then get to that next level," Gallagher said. "This is not just about compliance--payers need to understand that, because they are connected to the Internet, there are risks that need to be managed."
"This will be an ongoing battle that the industry will continue to fight everyday," Gallagher added.