As more details continue to emerge from the Anthem breach, the incident has put all healthcare organizations on notice. The estimated cost of the breach could be in excess of $100 million with as many as 80 million people impacted. A breach of this magnitude is an important learning opportunity to think about healthcare security best practices and in particular, how to control access to sensitive data in organizations. Here are several key takeaways from the breach for healthcare organizations.
Data thieves are looking for soft targets
Healthcare organizations are prime targets for cyberattacks not only because healthcare data is valuable, but because healthcare organizations have a reputation for being susceptible to breaches. In this HealthcareIT News article discussing the breach, Lynne Dunbrack of IDC Health Insights said “Cybercriminals view healthcare organizations as a soft target compared with financial services and retailers because historically, healthcare organizations have invested less in IT, including security technologies and services than other industries, thus making themselves more vulnerable to successful cyberattacks.” Until healthcare as an industry improves its adoption of security practices including data access control, cybercriminals will continue to view healthcare data as a vulnerable target.
Improper access is a top security vulnerability
Investigators believe hackers accessed Anthem’s information by stealing system administrator credentials of five different employees. They also believe that the breach had been in progress for several years. Benjamin Lawsky, Superintendent of New York State Department of Financial Services, said in this article that “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here.”
Some have pointed out that Anthem should have encrypted the information, however, the greater shortcoming was the lack of proper access controls. Encryption would not have stopped attackers who had gained authorized credentials. The vulnerability was not in the software, operating system or hardware, but in the process of managing proper access controls based on business and operational requirements.
Three types of safeguards are needed to control access to sensitive data
Managing access control can be challenging, especially with respect to preventing insider data breaches or simple mistakes by users with high level access. Anthem is not alone as many organizations need to tighten system access. When providers are considering what strategies to employ to improve access control, they should consider three broad types of safeguards.
1) Technical safeguards – Grant role-based access to data and applications on a need-to-know basis.
2) Physical safeguards – Control of physical workstation access and access to clinical applications.
3) Administrative safeguards – Create comprehensive policies and auditing tools that allow a compliance manager to report on who has access to which systems, applications and patient records as it applies to their role.
Caradigm is the leader in Identity and Access Management (IAM) solutions, and is focused exclusively on healthcare organizations. If you’d like to discuss your access control needs further or see a demo, contact us here.
 Osborne, Charlie. “Cost of Anthem’s data breach likely to exceed $100 million.” Retrieved from http://www.cnet.com/news/cost-of-anthems-data-breach-likely-to-exceed-100-million/. 2.12.15