Guest post by Divan Dave, CEO, OmniMD.
Here’s what we know. In the Anthem hack, it is estimated that approximately 80 million records were stolen. The Anthem hackers stole information of both employees and customers, which included names, address, emails, birth dates, medication history, employment details, family relatives and more. But while most hackers steal financial data for spending sprees – these hackers had next-step intentions with the stolen data serving as the basis for phishing emails with attachments for the purposes of installing malware using their official email accounts, gathering even more personal information, and then it was propagated across entire networks. So now what?
Know the facts. According to Privacy Rights Clearinghouse, up until Anthem, since 2006, about 6.6 million records have been exposed from 79 medical-related breaches of hacking or malware type. Last year, Community Health Systems Inc. announced a large data breach of its health system compromising data for 4.5 million patients and now Anthem at the 80 million mark. Attackers like targeting EHRs because the records are highly profitable compared to other forms of information. For example, each credit card data is valued about $1 in the black market. However, according to various sources, a partial or complete EHR can generate $50 to $100 on the black market. The high price is because of the healthcare data includes personal identity information and sometimes carries credit card information along with insurance and personal health information. So, while financial information can be tracked and secured following a breach — the healthcare information cannot be as easily tracked and resolved.
Current mandates. Every EHR provider should safeguard data and information with HIPAA-complaint communication protocols, 128-bit encryption and public key authentication. As per the HIPAA norms of strong grade encryption and authentication, providers should meet all the regulatory requirements enabling security and confidentiality. Scheduled backups of the data are essential to keeping records and information from being lost or destroyed.
Enhance above and beyond; these hackers are skilled and motivated. Clearly, it will never be enough to have only government-mandated security systems. In addition to keeping up with the continuous compliance updates to incorporate new and revised regulation in meaningful use, ICD-10 and ACA, we need to keep up with security too beyond the mandates because with the fierce determination of hackers, there can never be enough security in our systems. In light of Anthem, healthcare IT providers should anticipate immediate action items in regulation to address encryption of data and implementation of unique identifiers for patients. These will help achieve consolidation of patient health information from various sources and moving towards true interoperability. Organizations need to have mandatory training of all employees conducted on HIPAA, HITECH, ISM’s security and privacy, policies and procedures. Additionally, companies should have internal technology security assessments and remediation. And, at least once a year, a third party (external) security assessment and remediation should be conducted. Also, organizations should make sure they have a BAA (HIPAA Business Associate Agreement) signed with every partner. And, if possible, have audits done on-site by the Electronic Health Network Accreditation Commission’s (EHNAC).
The sophistication of this hack-attack in the healthcare industry is unprecedented and a wake-up call for every EHR and healthcare IT provider. But now that our eyes are open, it’s time to act. While it may not be necessary to actually “hire a hacker” to try and find out your vulnerabilities, but having checks and double checks are no longer a luxury, but a necessity.