Beyond Compliance: HIPAA after Anthem
Healthcare providers and insurers are under increasing attack by cybercriminals. It’s time to admit that healthcare IT needs security reinforcements – and needs them quickly.
The Anthem breach reported in the media on Feb. 5 came on the heels of the Community Health breach. What’s disturbing is that these incidents both appear to be linked to sophisticated, targeted attacks by state-sponsored cybercriminals from China rather than the work of random hackers looking to cause a temporary disruption in service. They’re after data, and the way they’re going about it can take months to discover. That means that right now, at this very minute, data from another provider or insurer may be making its way out of the country, and we don’t know it.
Some report that this disturbing trend may be related to efforts by the Chinese to build a larger database of U.S. citizens for espionage purposes. Others claim that these attacks are driven by the fact that patient health information is more valuable than financial data. It may be both. What’s staggering is that the level of sophistication by the hackers, in many cases sponsored by China, Russia and other governments, continues to increase rapidly as the attacks themselves get stealthier.
Healthcare IT professionals are an essential component of healthcare delivery. They make sure that healthcare providers have the information necessary to care for patients. They are responsible for ensuring that mandated technology initiatives such as implementing electronic health records and transitioning to ICD-10 are completed successfully. That is a full-time job all by itself.
Health IT managers all over this country are at crossroads. In addition to their daily responsibilities, they must also have all the knowledge, training and experience to fend off state-sponsored cybercriminals. Even with experienced security professionals on staff, many organizations lack the tools, defensive systems, monitors, dashboards and manpower to really know what’s going on in their networks at any given moment. In many cases these really smart, hardworking professionals are outgunned.
It’s time for healthcare executives to look in the mirror and ask themselves if they and their teams can stand up to these constant threats or whether they need to call in reinforcements. One viable solution is to move their data (and the responsibility for protecting it) to the cloud. A cloud service provider, especially one with specific expertise in healthcare, will already have the expertise and redundant security systems in place to protect health data at a much higher level. They don’t have the responsibility of keeping the applications running for users, so they can focus on the data itself, making sure it is available to authorized users and protected from state-sponsored cybercriminals and others who want to steal it.
It’s also time for the U.S. government to take cybersecurity up a few notches and help private industry defend itself against state-sponsored attacks. It is difficult for any private enterprise, even the largest ones, to compete with the resources of a government-sponsored entity. By getting involved more directly, the U.S. government can take some of the pressure off healthcare organizations and help tip the balance back in our favor.
It’s time to hunker down, get to know your weaknesses and rapidly remediate.
Published: February 15, 2015
http://www.healthmgttech.com/articles/201503/beyond-compliance-hipaa-after-anthem.php