Tuesday, February 10, 2015

Forget Waldo, where's HIPAA?

Insurance companies place
Customer information at risk


IN A NEW YORK TIMES ARTICLE heded "Anthem Hacking Points to Security Vulnerability of Health Care Industry" we learn that The cyber attack on Anthem, one of the nation’s largest health insurers, points to the vulnerability of health care companies, which security specialists say are behind other industries in protecting sensitive personal information.

Where are the largest databases of Americans' personal information outside of government computers? Health care providers.

Now, with all tax-paying Americans obliged to have health insurance else face a tax penalty, information on all tax-paying Americans can be found in one or another insurer's database.


HIPAA, a/k/a Health Insurance Portability and Accountability Act of 1996 is supposed to have rules in place to protect patients' personal information, and although the protection is focused on medical records, all patient-related information - and that includes Social Security numbers, addresses, dates of birth, is included in the mandate.

Good grief; many medical practitioners and business won't even send or accept emails due to HIPAA penalty paranoia. (Faxes are OK, despite the fact that anyone passing by the fax machine can read incoming and outgoing information left lying in the area. Seems Dilbertian to this scrivener.)

Yet, hackers - Chinese if the Times article is to be believed - gained access to up to 80 million records that included Social Security numbers, birthdays, addresses, email, employment information, and income data for customers and employees, including its own chief executive.

I confess to being amused by the fact that Anthem's "own chief executive" was among the victims. Perhaps this executive will lead the way to find means to secure health care information - for Anthem and for other companies.

Apparently, Anthem and other health care companies had become increasingly aware of the criminal value of the information they have, in light of the large cyber attacks against financial service companies like JPMorgan Chase or retailers like Target according to Thomas Miller, Anthem’s chief information officer.

That, of course, begs the question: If "Anthem and other health care companies had become increasingly aware of the criminal value of the information they have" why didn't they aggressively work to protect that information?

According to Miller, Anthem was actively considering encrypting its internal database as well as taking other steps to improve its security.

Katherine Keefe, a global focus group leader for breach response services at Beazley, which underwrites cyber liability policies, said health care companies were attractive targets to hackers because the information health providers maintain about consumers tended to be more valuable on the black market than credit card information stolen from on a retailer.

The problem at Anthem, and based on the Times' piece, is that while executives apparently KNOW corporate databases are vulnerable, they are dragging their heels in actually remediating the vulnerabilities. Perhaps if more executives had their information compromised they would go from "considering" action to "doing" something to protect their, and their clients', information.

No comments: