Anthem breach shifts paradigm of healthcare security

The massive security breach affecting health insurer Anthem is not like previous healthcare data breaches, cybersecurity experts are saying.

As disclosed last week, Anthem was the victim of more than just a security lapse, but a hack known as a targeted advanced persistent threat (APT). The malicious act compromised data on as many as 80 million current and former beneficiaries and employers.

“If this truly is 80 million records, this just blows the covers off the magnitude of what a breach is,” said Andrew Hicks, healthcare practice lead for risk management and compliance firm Coalfire.

Even at the “tens of millions” level Anthem has confirmed to date, it is easily the largest hack of healthcare data in U.S. history, far outstripping the 1.3 million people said to be affected by a July 2014 attack on a server at the Montana Department of Public Health and Human Services. It also is one of the largest breaches of any kind in U.S. history.

Plus, Bloomberg Business reported that the FBI-led investigation of the Anthem breach has pointed to state-sanctioned hackers from China as key suspects. Phishers already have started to pounce on those whose information was stolen, other reports have suggested.

There are regulations for security of healthcare data in place, but this is not a HIPAA violation caused by carelessness or even a disgruntled employee. There has not been any indication yet that any protected health information (PHI) was compromised, so HIPAA may not even apply.

Compliance with regulations is one thing. “The issue of cyberthreat is newer and more alarming,” Lisa Gallagher, vice president of technology solutions for HIMSS, told Clinical Innovation + Technology. “This is an advanced persistent threat” apparently from a foreign country. “It may rise to the level of national security,” Gallagher said.

According to Hicks, many are still “chasing a compliance standpoint,” doing just enough to satisfy HIPAA. But HIPAA doesn’t require certain security measures, including firewalls, nor does it call for any proactive surveillance. “It’s very, very minimal what you need to do,” Hicks said.

Organizations are still looking at security from a cost-benefit standpoint rather than taking a pure security angle, Hicks said. “Compliance is an element of security. You’ve got to be going for security,” he explained.

“It’s been more of a compliance mentality,” Gallagher agreed. “You need to shift from a compliance mentality to ongoing, daily risk management,” she advised.

This may have to be an industry-wide effort. “We need to collectively protect our infrastructure assets,” Gallagher said. Some larger organizations will be able to manage sophisticated challenges like APTs, while others will need help from groups like HIMSS and healthcare security interests.

Indeed, the Health Information Trust Alliance, known as HITRUST, said in the wake of the Anthem hack that it would offer free basic subscriptions to its HITRUST Cyber Threat XChange, giving healthcare entities access to its database of cyberthreat intelligence and “indicators of compromise” that suggest a hack attempt is in progress.

“Detection [of threats] is a skill people need to acquire,” Gallagher said. “Take a step back and see not what they got, but what they were after and why,” she advised.

Healthcare data may be a target to hackers because it is so valuable. Coalfire estimates that patient records are worth somewhere between $80 and $100 each, based on data from HIMSS Analytics. PricewaterhouseCoopers has pegged the value of health data on the black market at as much as $1,300 per record.

For comparison, RSA Security, a division of cloud computing giant EMC, said in 2010 that credit card records could be had for as little as $1.50, though online bank login information was going for up to $1,000 each.

Last year, New York-Presbyterian Hospital and Columbia University agreed to pay the HHS Office for Civil Rights $4.8 million to settle HIPAA violations involving the PHI of about 6,800 people, the largest HIPAA fine on record. At that same per-patient rate, an OCR fine against Anthem would reach $56.5 billion, though Hicks noted that is unlikely since this does not appear to be a HIPAA violation.

Healthcare data also can be more permanent than financial information. “You can’t cancel a medical record like a credit card,” Hicks noted.

“This is your freebie wake-up call,” Hicks said. “This is the biggest wake-up call you will have.”