Security experts have been predicting that large healthcare related data breaches will continue into 2015. With the Anthem Inc., breach of 80 million records this prediction is now a reality. An article over at Forbes explores why healthcare data is so valuable. Here are some of the reasons:
- Quantity of information—Think of the 15 pages of forms that gets filled out when visiting a doctor. No other vertical has that quantity of data.
- Value of information—Not only is there a lot of data, but it is the best stuff. Social security numbers, payment information, bank accounts, addresses and troves of personally identifiable information (PII).
- Timely—Our medical and financial information is guaranteed to be updated at least annually with the traditional open enrollment period with employers. Additionally, healthcare information is constantly being updated with every physician’s visit. No other vertical updates client data with such frequency.
The article looks at some initial lessons for the Anthem Inc., breach:
Respect thy enemy. The adversary that is faced is not some random teenager, fueled by chocolate doughnuts and energy drinks and looking to make a name for himself. The criminal element is intelligent, educated, sophisticated and organized. Remember the words of the Anthem CEO as they were the “target of a very sophisticated external cyber attack.” If Anthem can be breached, your organization can as well. Thus, confront thy cyber enemy with the respect they deserve.
Have a plan. No one plans to be breached, but everyone needs a meticulous plan in place on how to respond to a breach. Anthem did not plan to be breached; however, it had a plan prepared regarding how to react if it was breached. Anthem’s execution in the wake of the breach is to be commended, minimizing the blast radius and non-verbally communicating organizational competence in handling the situation. Should your organization be breached, would your execution be as proactive and as measured as Anthem? It is an important question to ask.
Here are some steps you should take:
- Make sure you perform a security risk assessment to know what your risk of having a breach might be
- Have written policies and procedures on how to protect patient information
- Ensure your employees are properly trained and understand best practices for protecting patient information
- Have a security incident response plan in place and periodically test the plan
- Evaluate the need for HIPAA / Cyber Insurance to provide financial protection in the event of a breach
Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!