Over 90 Total Lots Up For Auction at One Location - WA 04/08

Expert reveals secrets health care executives must learn from Anthem's data breach

by Lauren Dubinsky, Senior Reporter | February 17, 2015
Health IT Risk Management
In late January, Anthem, Inc. was hit with a large-scale, sophisticated cyber security attack. Names, dates of birth, Social Security numbers, health care ID numbers, home address, email addresses, employment information and income data were stolen, leaving customers in a frenzy.

There is a lot every health care industry executive should learn from a breach of this scale. DOTmed News spoke with Michelle Foster Earle, president of OmniSure Consulting Group about what Anthem could have done differently and what other hospitals and insurers should do if they experience a breach.

One solution that could have prevented Anthem's breach is called "two-factor authentication", which requires the system administrator to use a personal device to verify their identity before they can use an administrator password to log into the system. However, Earle isn't aware of any health care providers using this method yet.

But sometimes a breach is inevitable, no matter what precautions are put into place. If a hospital or insurer is hit with a breach, Earle thinks the first thing they should do is stop the bleeding by shutting down access where possible, changing passwords and informing the authorities.

Next, they need to inform the public of the breach through social media, which is something Anthem did very well. The CEO of Anthem, Joseph Swedish, spoke out about both what they know and what they didn't know.

"[People] want to hear what's happening straight from the company they trusted," said Earle. Immediately after the breach Anthem took every step to protect them with a microsite, notifications, and assurance about what they will do to monitor and protect them going forward.

Earle recommended that all health care systems have a crisis management plan that includes cyber breaches in place. It should include a detailed approach to communicating the breach in a consistent and transparent manner.

But the best risk management advice that she can give is to get cyber liability insurance, if you can't predict or control the breaches. Anthem has insurance but some health care systems do not.

The health care industry is behind the curve when it comes to cyber security. "Health care providers don't think like criminals," said Earle. "But health care is a very inviting target for hackers, who can get so much more than credit card numbers and personal information."

She explained that the industry has to put up as many barriers as possible to decrease the ease, frequency and severity of the attacks.

Health care systems have been slow to implement those barriers because it can be expensive and disruptive to care. Even though cyber liability insurance is a good option, many systems don't know how much coverage they need or how to budget for it so Earle thinks it may take regulatory action to enforce coverage.

"But once the insurance companies are involved, we're likely to see more attention focused on risk management and loss prevention," she said.

You Must Be Logged In To Post A Comment