Why Anthem Must be a Turning Point for Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthdatamanagement.com/blogs/why-Anthem-must-be-a-turning-point-for-security-49780-1.html

It wasn't so long ago that the HIPAA privacy and security rules were
updated, and yet today they are already wildly outdated. We need another
rework and soon; the onslaught of organized and sophisticated hacking for
profit by criminal enterprises compels it.

These hacks are not new, but the intensity and size of these breaches
continue to grow. So far, the Department of Health and Human Services
hasn’t made the jump to flat-out mandate encryption of PHI at rest whenever
possible--even though it should have done this long ago. Now it really has
no choice, but the question remains: Does the industry have the fortitude
to enforce such a mandate?

Yes, encryption is expensive, and slows down computers and doctors will
yell. And there are times when running the business means data remains in
an unencrypted state. In a blog posted at Ars Technica, Steven Bellovin,
professor of computer science at Columbia University, contends that the
most sensitive databases are always in use so they are effectively
decrypted. In these cases, access control must be far more robust than it
was at Anthem.

But every type of business has a cost of business, and encryption where
possible has to become one of the costs for healthcare. Many years ago, the
government made a deal to license the use of SNOMED CT, enabling the
industry to use the coding set for free. Not many healthcare organizations
took advantage of the freebie, but maybe that is a model the government can
use to make encryption more affordable and doable.

Government agencies that regulate other industries also must get far more
aggressive on encryption. So many Americans have been affected by breaches
in the financial and retail industries, and while those and other
industries already have better security than healthcare, the risks faced by
the public are still unacceptable.

In healthcare, a ton of work remains to secure PHI and on Feb. 5 it became
clear that the industry and government must respond. To fail would imperil
industry moves toward accountable care, population health management and
value-based reimbursement, all of which require substantial use of PHI.

How do we engage patients and liberally use their PHI for data analysis and
other functions if we can’t protect the data? HHS Secretary Sylvia Burwell
may have thought there were higher priorities under health reform than
encryption and there surely were. But not now.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!