Over 90 Total Lots Up For Auction at One Location - WA 04/08

Health Care: The soft underbelly of cyber security

April 20, 2015
Risk Management
From the April 2015 issue of HealthCare Business News magazine
John DeGaspari

Has the health care industry entered the big leagues of cyber warfare?
Two major incidents over the past several months suggest that it has, serving as a wake-up call to the IT departments and C-suites of the nation’s health care organizations that are now scrambling to assess their vulnerabilities to cyber attacks.

On January 29, Anthem Inc., one of the nation’s largest health insurance companies, found itself at the center every chief information security officer’s worst nightmare: it discovered that cyber criminals infiltrated its network and stole 80 million health records, putting roughly one-fourth of the U.S. population at serious risk of identity theft.

Anthem’s incident followed on the heels of another massive breach, when Community Health Systems, one of the largest publicly traded hospital systems in the U.S. with 203 affiliated hospitals, confirmed in July that it was the target of a successful hack that bled the company of 4.5 million health records.

The sizes of these two breaches dwarf a long line of incidents that preceded them. The U.S. Health and Human Services Office of Civil Rights has documented more than 1,150 breaches each affecting at least 500 individuals between October 2009 and February of this year. The vast majority of those breaches, which have impacted provider organizations, their business associates, and health plans, typically range from thousands to tens of thousands of patient records compromised.

The question is, do these latest incidents point to a new threshold in the size and sophistication of cyber attacks? And if so, how prepared are health care organizations to counter those threats?

A new cyber-threat era dawns
Neither Anthem nor Community Health Services responded to requests for interviews. But Laura Galante, manager of threat intelligence for FireEye, a cyber security firm that has worked with both companies, says the incidents indeed represent a turning point for the health care industry.

While she declined to comment on Anthem, whose investigation is active, she notes that Community Health Systems has publicly stated that it suspects the attack originated from a hacker group in China. If that were the case, it would be a departure from state-sponsored hacker groups that historically have set their sights on pharmaceutical research, drug development and health care manufacturing.

The CHS breach points to a change in focus for state-sponsored groups, she says, because the hackers were apparently interested in getting personally identifiable information, traditionally the jewel in the eyes of cyber-criminal groups that typically operate out of Eastern Europe and are not affiliated with the state, for the purpose of monetizing information. What’s behind the latest incident in terms of motivation is still a matter of debate in the security industry. Yet she and other security experts interviewed for this article are certain of one thing: health care is less prepared than other critical industries.

You Must Be Logged In To Post A Comment