Home » Healthcare » Healthcare Data in the Cross-Hairs

Healthcare Data in the Cross-Hairs

Posted on:February 5, 2015
Posted in:Healthcare, Security
Posted by:Christopher Budd (Global Threat Communications)

Today we’ve learned that up to 80 million customers and employees of Anthem health insurance have had their personal information stolen. Initial reports indicate that the data loss includes names, birth dates, Social Security numbers, addresses and employment data including income.

All the information you need for effective identity theft.

The exact number of records lost is still being determined but Anthem themselves say it’s likely in the “tens of millions.”

The potential number of records and the type of information lost already make this, arguably, the worst data breach in US history, from an identity theft-risk perspective.

But two things make this situation even worse and should raise red flags.

The attack targeted data held by a health care organization demonstrating that attackers correctly recognize this environment is the “mother lode” when it comes to personal information. In the US, we’ve traditionally been conditioned to hand over critical personal information to health care organizations without batting an eye. What’s more, we hand over not just our information but our family. If successful identity theft is a goal, there’s no better data to steal than this.
This attack was against the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, and the second largest health insurance company in the U.S. It isn’t a small “mom and pop” operation—this is the company with a tremendous amount of resources. Anthem is a big gun. Indications are that this was a sophisticated attack, which means that this established entity has been victimized in a major way. The big gun was outgunned. And, if an organization of this size can fall prey, the entire industry should be concerned.

Nearly a year ago, the FBI issued a warning that the health care industry was at risk. With today’s announcement we see that warning was well founded. And, we see what the consequences of a successful attack look like. Most of all, we see that this is a risk the entire industry faces—size and sophistication don’t matter.

Health care organizations need to heed the FBI’s warning from last year and put in place not just protections to prevent intrusions but countermeasures to detect when these intrusions take place. Even as we write, the odds are good that the networks of other healthcare organizations have already been breached and that data is being siphoned. The real question is how long it will be before we hear about it.

A lesson that the health care industry can take from last year’s retail data breaches is to collaborate and share information broadly, quickly. We know the attackers share information. And, while health care does have an information sharing and analysis center more can always be done.

The Obama administration has recently called for more legislation to boost cybersecurity defenses and data breach notification. Because health care is such a heavily regulated industry, this latest event shows how important it is for these initiatives to include strengthening security around healthcare data.

This may be the first large healthcare data breach. But it won’t be the last. We have a chance to avoid a repeat of history that inflicted the retail industry if the health care industry moves quickly and in partnership with public and private organizations. For additional information click here.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Healthcare Data in the Cross-Hairs

Security Intelligence Blog

Featured Authors

Trend Micro In The News

Healthcare Data in the Cross-Hairs

Related posts:

Security Intelligence Blog

Featured Authors

Trend Micro In The News