BreachExchange mailing list archives
Why Anthem Must be a Turning Point for Security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 11 Feb 2015 20:19:13 -0700
http://www.healthdatamanagement.com/blogs/why-Anthem-must-be-a-turning-point-for-security-49780-1.html It wasn't so long ago that the HIPAA privacy and security rules were updated, and yet today they are already wildly outdated. We need another rework and soon; the onslaught of organized and sophisticated hacking for profit by criminal enterprises compels it. These hacks are not new, but the intensity and size of these breaches continue to grow. So far, the Department of Health and Human Services hasn’t made the jump to flat-out mandate encryption of PHI at rest whenever possible--even though it should have done this long ago. Now it really has no choice, but the question remains: Does the industry have the fortitude to enforce such a mandate? Yes, encryption is expensive, and slows down computers and doctors will yell. And there are times when running the business means data remains in an unencrypted state. In a blog posted at Ars Technica, Steven Bellovin, professor of computer science at Columbia University, contends that the most sensitive databases are always in use so they are effectively decrypted. In these cases, access control must be far more robust than it was at Anthem. But every type of business has a cost of business, and encryption where possible has to become one of the costs for healthcare. Many years ago, the government made a deal to license the use of SNOMED CT, enabling the industry to use the coding set for free. Not many healthcare organizations took advantage of the freebie, but maybe that is a model the government can use to make encryption more affordable and doable. Government agencies that regulate other industries also must get far more aggressive on encryption. So many Americans have been affected by breaches in the financial and retail industries, and while those and other industries already have better security than healthcare, the risks faced by the public are still unacceptable. In healthcare, a ton of work remains to secure PHI and on Feb. 5 it became clear that the industry and government must respond. To fail would imperil industry moves toward accountable care, population health management and value-based reimbursement, all of which require substantial use of PHI. How do we engage patients and liberally use their PHI for data analysis and other functions if we can’t protect the data? HHS Secretary Sylvia Burwell may have thought there were higher priorities under health reform than encryption and there surely were. But not now.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Why Anthem Must be a Turning Point for Security Audrey McNeil (Feb 19)