Health care hacks on the horizon for 2015

Some experts are saying that 2015 could be the so-called “Year of the Health Care Hack,” according to an article from Reuters. The suggestion is that the massive amounts of electronic information stored by insurers and hospitals could come under even more attacks this year due to the changing patterns of hackers. Dave Kennedy, chief executive of TrustedSEC, LLC (an information security firm), told Reuters that “people feel that this will be the year of medical industry breaches.”

Bad Start

The year started off on a relatively sour note when it comes to cyber-attacks in the health care industry. In early February, Anthem Inc., the second largest health insurer in the U.S. disclosed that it had been the victim of a cyber-attack, which, according to a CNN report, compromised the personal data of 80 million patients. According to CNN, the health care data stolen included “names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.” Due to the massive scale of the breach, Anthem set up a website (anthemfacts.com) to educate consumers and provide resources for dealing with the aftermath of the hack.

Shift

CNN points to the Anthem hack as a signal that targets are shifting. For example, last year data was stolen from entities like Target, Neiman Marcus, JPMorgan Chase, Experian, eBay, and Home Depot. The massive scale of the Anthem hacks may mean that well-equipped, large-scale cyber attackers have changed tact, putting health care data—as opposed to credit card data— in the crosshairs. Dave Kennedy told Reuters that the data stolen from banks and retailers has begun to lose its value in criminal markets. The suggestion is that the turn towards medical data is a turn towards a new market. According to Reuters, health care data provides a unique benefit for thieves over and above financial data because it can be used to “fraudulently obtain medical services and prescriptions as well as to commit identity theft and other financial crimes.”

Solutions

The health care industry knows what is happening. According to a study conducted by the Ponemon Institute and sponsored by Lockheed Martin, 68 percent of health care organizations say cyberattacks are increasing in severity, and 77 percent of health care organizations see a rise in frequency. According to the Associated Press (AP), some critics suggest that the hack resulted because insurers are not required to encrypt all consumer data. For example, David Kibbe, CEO of DirectTrust, told the AP that the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) needs to be revised to address the fact that the law does not clearly require encryption in all circumstances. Encryption is the use of mathematical formulas to scramble data. Although the law provides for some encryption requirements, Kibbe maintains that the law should require encryption whether information is transferred or remains in a single company’s database. Regardless of which solution is the best one to prevent hacks, the Anthem hack loom ominous at the start of a year that could well be the year of the hack for the health care industry.