From the April 2015 issue of HealthCare Business News magazine
McMillan says any organization can be hacked, and many probably have been already but are just not aware of it. He says that many organizations in health care, not just smaller ones, are very susceptible to attacks by skillful and motivated hackers. “Certainly those that have not done the things they should do — and there are a lot of them that haven’t — are going to be more susceptible than others. And if they can take down an Anthem, they can take down a regional hospital that has very little security,” he says.
He adds that vulnerabilities have also increased because of the way organizations are connected. Poorly protected smaller organizations might be back doors to larger ones through health information exchange or accountable care organizations. He also draws attention to the increasing role of Big Data in health care, massive repositories of information that can be used — legitimately — for population health and other analyses. “We have to find a balance between progress in science and security and privacy. Those databases have got to be lucrative targets,” he says.
Despite the increased threat level in health care, McMillan says the bad guys don’t always win, and not everybody who makes a run at an organization is going to be a sophisticated attacker. Organizations can certainly raise their readiness to where only the very best will succeed, in his view. Even with regard to today’s super cyber criminals, there are certain things organizations can do to enhance their ability to detect an attack and to make it more difficult to steal data.
In McMillan’s view, it’s completely unfair to throw rocks at either CHS or Anthem: those organizations weren’t victims of anything that any other organization could have been subject to. The key issue, he says, is why the attackers were able to be in the environments for as long as they were without being detected.
Basic rules in the environment or a data loss prevention program should have raised a red flag before it did. Organizations need to pay attention to how they manage data, and should not allow information that should not be on a device to be there. McMillan also questions whether all 80 million records that were breached at Anthem was active information on current customers. If not, why would they still house data on people who were no longer customers?
“If Anthem had purged the information on folks they were no longer covering, it wouldn’t have been 80 million,” he says. “We have to stop holding on to information on all of these people that we no longer have a legitimate business having.” McMillan believes it is time for the executive leadership in health care to become more aware of what’s going on with regard to the threats to the data on their systems. The real issue is that hacking incidents need to be elevated to the same level as other incidents, such as disease outbreaks or disasters that are identified as crucial by risk management groups.