This article is a clarion call to the healthcare industry to wake up! It’s not about Target and Home Depot anymore. On February 5th, Anthem Inc., the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, announced that 80 million records had been compromised.
It is interesting to note that this is not a unique occurrence. Just a week prior to the Anthem incident, a laptop was stolen from the Riverside County Regional Medical Center in Moreno Valley, California. The information on the laptop included names, phone numbers, addresses, dates of birth, Social Security Numbers, and clinical information such as medical record numbers, physicians, diagnosis, treatments received, medical departments and health insurance information.
To all of the State Governors, Hospital Administrators, and various CEOs of insurance and other healthcare-related entities reading this article, pay attention because herein lies the secret of knowing whether you are next. You must ask the question, “How hackable am I?” And you must fully expect to find out.
In the same month, other data breach incidents occurred at Sunglo Home Health Services of Harlingen, Texas, and California Pacific Medical Center/Sutter Health of San Francisco, California. It seems health data compromises from California to New York, and from Texas Health and Human Services to the Utah Department of Health have in recent years experienced a sharp uptick.
To all of the State Governors, Hospital Administrators, and various CEOs of insurance other healthcare-related entities reading this article, pay attention because herein lies the secret of knowing whether you are next. You must ask the question, “How hackable am I?” And you must fully expect to find out.
There is only one way to find out if you are hackable, and that is to hire a hacker to hack you. It sounds risky, but it is actually called penetration testing and is performed by reputable companies who employ credentialed individuals such as the Certified Ethical Hacker or CISSP credential.
You may say, “Well we have our own internal vulnerability team.” This is fantastic! As it should be. However these are your employees and are biased by the paycheck you sign every payday. I recommend that you hire an objective outside company at least annually to perform an in-depth internal and external penetration test on both your network, databases and critical applications.
Some standards, such as PCI, state that penetration tests by qualified outside parties should be performed annually or as often as there are changes to the environment. The point here is that such an event only applies to a point-in-time assessment and is invalidated if new technology is installed and configured incorrectly.
In summary, qualified engineers can find and report on the “hackability” of your systems, and provide a remediation report to ensure you don’t become the next Anthem. It’s not just about Target, Home Depot, or big box retailers anymore. Healthcare is now squarely on the hacker’s crosshairs.
About the Author
Greg Johnson is the VP of Security Business Development and Strategy at Lancera Security, the World’s Trusted Source of Security Solutions. Mr. Johnson is an entertaining and sought-after speaker in the world of cyber security.