What the Anthem Data Breach Says About the Vulnerability of Healthcare IT

This past week, Anthem Inc., a leading health insurance company, announced that it had been the victim of “a very sophisticated external cyberattack” that “gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.” Some 80 Million customers and employee records have been impacted by this breach.

The incident will have near-term implications for Anthem as it relates to the likely costs of providing identity protection support to their members. For the public, the effects of this incident may well play out over a long period, since the attackers could continue to abuse certain pieces of data ( such as social security numbers) in myriad ways that cannot be anticipated just yet.

The Anthem data breach, along with other highly publicized cases like Sony and Target , tell us that corporate information systems are fighting a losing battle against hackers. Healthcare, in particular, could be especially vulnerable. In April 2014, Kaiser Permanente had announced that it had been the victim of a data breach. The incident affected a relatively small number of individuals but it was nevertheless significant that one of the largest health systems in the country could not prevent these incidents. Where does that leave relatively smaller health systems that are struggling to survive and cannot afford to invest in the kind of state of the art infrastructure that can protect their environments from cyberattacks?

The implications are especially serious for Healthcare IT, for the following reasons:

– Healthcare IT infrastructure is generally old and inadequate for the current needs of the marketplace, relative to other sectors like retail and banking

– Healthcare technology budgets are arguably the most under pressure when compared to other industry sectors

– Shrinking tech support staff, combined with end of life equipment that’s falling out of support means that IT systems are more vulnerable than ever before

Ironically, the margin pressures on the healthcare sector, arising from reduced reimbursement rates and a transition from a fee-for-service to an outcomes based model, mean that in the near-term, IT spend will continue to fall at a time when there is a dire need for investment in upgrading aging infrastructure. The condition of healthcare IT infrastructure is as much a patient safety issue as it is a cybersecurity issue.

Emerging technology trends will likely create a new set of challenges for beleaguered healthcare companies struggling to remain ahead of cyberattacks.

– Alternate models such as cloud computing: Cloud computing is becoming an accepted model across all sectors. Many analytics vendors are delivering solutions using a cloud computing model which requires healthcare data to be transferred to their cloud environments for analysis. It could be argued today that data is much safer in a cloud environment that is managed by an Amazon, Microsoft, or a Google. These are firms that have robust infrastructure security in place, which in most cases, are better than those of corporate IT in healthcare companies

– The exchange of Protected Health Information (PHI) with Business Associates, such as analytics vendors: In cloud computing models, healthcare data often needs to be transferred to vendor cloud environments, usually in an encrypted and anonymized form. While the anonymizing of data ensures a degree of data security, the governance processes around the transfers and use of data are still emerging. Ultimately, as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), healthcare companies are also liable for data breaches that occur in their vendor environments.

– The Internet of Things ( IoT) and Consumer Health Technologies: We are likely to see an explosion of consumer health data arising from the use of wearables and other devices that are increasingly likely to connect to EMR systems to help individuals and doctors help manage health and wellness. The Federal Trade Commission (FTC) has published a report  raising concerns about the privacy and security of healthcare data arising from the emerging IoT trend.

Anthem is a health insurance company and has limited medical information on its members, unlike large providers like a Kaiser Permanente whose Electronic Medical Record (EMR) systems contain detailed diagnostic and treatment information on patients. The compromise of detailed medical information could be far more damaging to individuals if a large health system were to be compromised in a data breach. Ironically, it is the large health systems that are most vulnerable due to their outdated IT infrastructure.