Cybersecurity threats have certainly been front-and-center in the news lately. The latest in a Hit Parade of large corporations to acknowledge a breach, Sony Pictures, has reached the international stage with the reported involvement of North Korea. As noted by HCI Editor-in-Chief Mark Hagland in his recent blog post, the Sony Pictures incident is evidence that hackers from increasingly sophisticated sources, including hostile foreign governments and criminal syndicates, are presenting escalating data security threats—have the healthcare industry is in their sights.
It’s against this backdrop that I found the news about an earlier data breach involving JPMorgan Chase interesting—and I think there are parallels to healthcare. As reported by the New York Times, that attack, which occurred last summer, was the largest intrusion involving an American bank to date.
Early in the investigation, the bank’s security experts, working with the Federal Bureau of Investigation (and also the National Security Agency, since the bank is considered part of the nation’s “critical infrastructure,” according to the Times), suspected involvement by a sophisticated state-sponsored adversary, possibly Russia. By October, though, Russia’s involvement was ruled out.
Instead, attention is now focused internally, and the investigators think the breach might have been thwarted by a simple security fix. Apparently, the weak link may have been a neglected server that was not upgraded with a dual-password scheme. The investigation is continuing, but a few red flags have emerged, according to the Times.
One is that the breach occurred during a period of high turnover in the bank cybersecurity team. It’s also possible that vetting of outside vendors might also have been an issue: he same group of hackers that penetrated the JPMorgan network attacked JPMorgan’s Corporate Challenge charitable race website, which was run by a separate company. Another issue is related to the bank’s size, and the difficulty of securing the networks of companies that had been acquired. In JPMorgan’s case, the name “Bank One”—a bank that was acquired in 2004—still appears in a web URL, according to the Times.
One commenter on the Times story raised an interesting point: the size of an organization is indeed an issue, but the real underlying issues are the complexity and governance of the IT environment. Large banks that have grown through M&A are facing complexity and governance issues in the IT environment, and the true costs of merging the infrastructures are often not built in merger deals. Meanwhile, there’s pressure to show a return on the investment, and often there is insufficient time or money to integrate the systems or fix vulnerable technology.
If the size of an organization matters, especially in industries where there is a lot of M&A activity, it’s an important issue in healthcare. After all, there has been a lot of consolidation among hospital systems, and mergers are occurring horizontally as well, with large health systems buying up health plans—and vice versa.
Bloomberg News first reported the JPMorgan breach in August, an attack that compromised the account information of 83 million households and small businesses. Coincidentally, Community Health Systems, which operates 207 hospitals in 29 states, reported in July a data breach involving 4.5 million patient records. Class action lawsuits began to be filed in October, and the health system faces an estimated $150 million in losses.
Mary Potter, information security officer of the Roanoke, Va.-based Carilion Clinic, believes that data governance is a critical part of securing data in provider organizations. In a recent webinar, she said that data needs to be communicated to the highest levels of an organization, and framed for upper management in a way that makes sense from a healthcare perspective. One of the biggest pieces for data governance, especially from view of data security, is having the right people deciding what the risks are, what data going to be collected, where it will be stored, who is going to use it and how it and how it will be shared, and with whom, she said.
Given the complexity of healthcare provider organizations and the challenges of integration of IT infrastructures, I think that is a good place to start.