by Paddy Padmanabhan

Premera data breach: 3 things healthcare enterprises could do

Mar 20, 20154 mins
Data and Information SecurityData BreachHealthcare Industry

The issue of infrastructure and information security has now climbed to the very top of the CEO’s agenda in healthcare organizations. Here are three things that healthcare enterprises could do as they prepare to take on this challenge.

This week, Premera Blue Cross announced that it had been the “victim of a sophisticated cyber-attack”  that had impacted some 11 million records. A few weeks ago, Anthem, another large health insurer, had revealed that it had also been the “victim of a sophisticated cyberattack”.  Translation: their systems were hacked and healthcare data was stolen. In Premera’s case, the initial data breach took place as early as May 2014, and in Anthem’s case, it went as far back as 2004. There has been speculation that the same group may be behind both attacks.  

I believe that healthcare IT systems are fragile and highly vulnerable today. This, combined with the sophistication of hackers and the rising attractiveness of healthcare data in the black market, makes healthcare a huge target for disruption in 2015.

While healthcare costs in the U.S as a percentage of GDP are the highest in the world, healthcare IT spend as a percentage of revenues is among the lowest across various industry sectors. Healthcare CIO’s are constantly challenged to do more with less, and face budget cuts year after year. They typically respond with one or more of the following actions, purely to reduce costs: Outsource IT functions to an offshore provider, lay off IT staff, postpone IT asset refresh.

The last one has the most potential to wreak havoc on healthcare IT.

In the case of Premera, it has been reported that federal authorities had warmed the insurer about security concerns in their IT infrastructure as a part of a routine audit. The report had identified several issues related to out of date patches and software updates. What’s more, many of the systems were not being supported by the systems vendor.

End-of-life and out-of-support software and hardware is a reality of the healthcare IT environment today. CIO’s are compelled to “sweat” the assets as long as they can simply because there are no budgets available for systems upgrades.

Fortunately, it is not too late. Because of the high profile nature of these recent data breaches, I have to believe that the issue of infrastructure and information security has now climbed to the very top of the CEO’s agenda in these organizations. Consulting firm Deloitte has reported that enterprises will quadruple down on data securityin 2015 as part of a “supertrend.”  However, it would be naïve to think that CEO’s will miraculously find the tens of millions required to quickly remediate the systems. This is going to play out over time.

The problem is further compounded by the following:

–Explosion of data: EMR data, consumer health data from wearables and other devices, and Internet of Things data will soon overwhelm healthcare enterprises.

–Data integrity compromises: if hackers can access the data, they can tamper with it as well. The implications for patient safety arising from the use of faulty medical records is a disturbing thought.

Here are three things that healthcare enterprises could do as they prepare to take on this challenge:

–Explore cloud options: Regardless of how much money they invest, healthcare enterprises will be playing catch-up when it comes to the use of the most current technologies and infrastructure. Cloud service providers like IBM, Amazon and Microsoft have the robust infrastructure in place to defend themselves against cyberattacks effectively. To start with, healthcare CEO’s and CIO’s should consider deploying newer applications such as analytics on the cloud.

–Strengthen the role of the Chief Information Security Officer (CISO) : In most organizations, CISO’s are part of the CIO organization, and are subject to the same pressures as the CIO in terms of budgets and cost constraints. However, information security is not just about technology. It is about a whole range of administrative and physical safeguards that require a broader appreciation of the business.

Explore data monetization options: There is a strong demand for healthcare data for legitimate business uses, such as research. Healthcare enterprises can actively start looking at ways to unlock the value in the data, with appropriate checks and controls, to offset the additional investments in IT expenditure and enable the use of data for public benefit.