A few months ago when Community Health System, a large hospital chain, got hacked…I foolishly thought that it would be the moment. Leaders at healthcare organizations would finally starting listening to their data security officers, who were channeling Anne Hathaway in The Dark Knight Rises and telling them that “A storm is coming.”
After Community, healthcare organizations were put on literal and metaphorical alert. The FBI sent notices to healthcare organizations, warning about the potential hackers that were going to try and access protected data. Security experts foretold that the hackers were here for your medical data and they weren’t going away. It seemed like a corner would be turned.
In my year-end podcast with Mac McMillan, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force, and CEO of the consulting firm, CynergisTek, I asked him if he thought incidents like Community would finally open some eyes in the healthcare community. He said it had definitely heightened awareness, however, it would still take some time before they caught on completely. I heard similar things from other security experts.
Ahem. You think maybe they’re listening now? I bet today they’ve caught on. These threats are real and they’re (not so) spectacular. Healthcare leaders, IT or otherwise, have to man the fortress. Community’s hack affected 4.5 million patients…Anthem’s? Nearly twenty times as much.
If Anthem’s hack isn’t the moment that turns hacking from a tinfoil conspiracy to a real threat to healthcare organizations then what will do it? Eighty million customers represents nearly more than one-fourth of this country’s entire population. It’s the biggest healthcare hack we’ve seen and one of the biggest hacks period.
Do we know everything there is to know about the Anthem hack? Of course not. Something could come out that exonerates Anthem in some respect. I think they deserve admiration for coming forward quickly and working with the FBI.
One thing we do know though is Anthem’s data was unencrypted. Like many of its healthcare peers, Anthem left its sensitive data exposed. As said by Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, it is downright irresponsible to not protect sensitive data through encryption. McMillan added a pertinent observation, “The real question is how does information on 80 million people, which can’t be trivial, leave the enterprise without setting off any alarms?"
Not every organization—in fact, probably 99.9 percent of healthcare organizations—has to worry about protecting the data of that many people. Guess what? That doesn’t matter. If this does anything, it tells hackers of all shapes and sizes that this sector is ripe for the picking. Targeted data sets are just as valuable as large ones.
As I noted a few weeks back, President Barack Obama has shifted cybersecurity into the national conversation. While I was and am encouraged by this, the sad truth is that it’s more likely that Anthem’s disaster—and similar ones to come—will be more effective.
Think of it this way. When you’re in high school, teachers and parents consistently hammer away at your perceived invulnerability. They do so by frequently warning you of the perils of drinking and driving, drinking period, driving too fast, having sex, and generally being a teenage knucklehead. While everyone listens, it usually goes in one ear and out the other. That is, until some idiot wraps a car around a telephone poll. Only then does the message come in loud and clear to teenagers.
Anthem’s hack is that car wrapped around the telephone poll. Maybe now, the teens will start listening.