Healthcare News & Insights

Lessons hospitals must learn from Anthem data breach

515745835One of the biggest healthcare data breaches of all time can teach your hospital a thing or two about IT security.

Last week, Anthem – the nation’s second largest healthcare carrier – announced that an outside hacker had infiltrated its IT network and accessed personal health information about its customers.

While Anthem has said that credit card and medical information (such as test results) were safe, the compromised data includes names, employment information and Social Security numbers.

In all, about 80 million people affiliated with Anthem, including patients and employees, could be affected by the breach. That means this incident could be the largest healthcare data breach ever.

Causes & impact

The healthcare insurer is still trying to figure out how the attack occurred. Several reports indicate that outside hackers had been trying to breach its system since last December. Eventually, they gained access using a system administrator’s security credentials to log into the network.

Investigators think the hackers got a hold of several workers’ credentials using an email “phishing” scheme designed to trick them into downloading unknown software or accidentally revealing their passwords.

Because the investigation is still ongoing, the full impact of the breach has yet to be determined. But it’s clear it’ll be costly for Anthem. The carrier’s already had to extend free security monitoring to all current and former members that may have been affected by the incident.

And judging by a past incident involving the insurer and compromised security, even more money may be on the line.

According to an article in USA Today, back when the carrier was known as WellPoint, a smaller breach involving the disclosure of confidential information for close to 612,000 customers resulted in a $1.2 million fine from the Department of Health & Human Services (HHS).

Preventive measures

Hospitals don’t want to find themselves in the same boat because of outside threats.

One crucial security feature that would’ve saved Anthem a lot of hassle: Encrypting patients’ protected healthcare information. While the carrier used encryption to transmit data through its system, it wasn’t encrypted when it was stored in its database, as discussed in an article in the New York Times.

This is a common problem for hospitals, too. When it comes to patient data, it should be encrypted in all areas where there’s potential for a breach.

Another option: storing data on an outside system that does have the appropriate protections in place, instead of using a more vulnerable internal system.

Vendors specializing in cloud databases can offer these services to hospitals. But it’s sill important to know exactly what measures they have in place to protect patient data since facilities are liable if a business associate’s cloud database is breached.

Comprehensive employee training is also important to keeping data secure. The biggest threat to information security in any healthcare organization is its own employees, as many studies have shown. Hospitals don’t want the actions of their own staff to give hackers an easier time of illegally accessing patients’ protected health information.

With that in mind, remind employees about how they should double-check all email requests to download software or confirm system passwords, making sure they’re from a legitimate source.

Passwords should never be shared with anyone who shouldn’t already have access to a database or email account, especially if it’s used to exchange private details about patients and their care.

Also, employees should be wary of clicking any links or downloading any attachments in email messages unless they know the message comes from a credible, trusted source. Encourage them to ask a supervisor or IT employee if they’re unsure about the validity of an email or an attachment they’ve received.

What IT needs to do

Your hospital’s IT department should take an active role in protecting your hospital’s internal databases and computer network. Besides encryption of any stored data, both internal and external firewalls should be in place on all hospital computers and networks to prevent unauthorized access to patient information.

All antivirus programs on computers and other network devices should be updated regularly. This makes it easier to detect and remove malicious software designed to circumvent a network’s security measures.

And to prevent staff from receiving phishing emails, spam filters should be in place that identify key phrases typically included in these messages and prevent them from even reaching employees’ inboxes.

Be sure your facility’s IT department is taking these steps to protect patients’ confidential information – and that their efforts are documented in your hospital’s security plan. Not only does this give your hospital the highest level of protection from data breaches, but proving that you’ve taken all the necessary IT precautions works in your favor if a breach does occur.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.