Health Plan Giant Falls Prey to Cyberattack
Those who work in the healthcare industry know all too well how important it is to protect the health information entrusted to them. That doesn’t make the task any easier. Even large health insurance companies with megabucks to spend on securing their clients’ health information are vulnerable to the attacks of cyber criminals—even Premera Blue Cross.
Premera—an independent licensee of the Blue Cross Blue Shield Association, serving businesses and residents of Alaska and Washington—discovered on January 29 that they had fallen victim to a cyberattack, exposing more than 11 million individuals to possible identify theft.
As required by law, a breach of this magnitude must be reported to the secretary of Health and Human Services, and the secretary must post the breach online. If you take a look at the HHS Office of Civil Rights breach portal, you’ll see that there have been more than 1,100 reported data breaches involving 500 or more individuals since launching the website in 2009.
The Premera breach is the second biggest this year. Just days earlier, an Anthem-affiliated covered entity reported a security breach of more than 78 million individuals’ personal health information.
According to Intel Security and the Atlantic Council’s latest report on cyber risks, “about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing 60 percent between 2013 and 2014,” reports Shirley Li for The Atlantic.
Fight Back Against Cyberattacks
Large corporations have the financial resources to overcome cyberattacks, but most small physician offices do not. Even private practices are at risk for data breaches.
On February 12, 2013, President Obama issued Executive Order 13636 “Improving Critical Infrastructure Cybersecurity.” The order called for the development of a Cybersecurity Framework that organizations can use to help reduce and manage their cybersecurity risks.
As a result, the National Institute for Technology and Standards (NIST) published a Framework for Improving Critical Infrastructure Cybersecurity. In its own words, “The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management” to make critical infrastructure more secure.
In parallel with the Framework, the Office of the National Coordinator for Health Information Technology (ONC) continues to develop educational resources around healthcare cybersecurity and risk management. A few examples include:
- “Cybersecure” Training Games
- A website on Mobile Device Privacy and Security, loaded with videos, tips, and other educational materials
- The Security Risk Assessment (SRA) Tool, which helps guide small healthcare practices through the process of conducting a risk analysis as required by the HIPAA Security Rule
- Videos on Contingency Planning and Emergency Preparedness
- Top 10 Tips for Cybersecurity in Health Care
Incorporating the latest security measures and providing employees with continued education are important first steps to fighting back against cyberattacks.