Health IT, Hospitals, Policy

Encryption might have not stopped Anthem hack

As news of Anthem’s massive hack from last week settled in, health IT and security […]

As news of Anthem’s massive hack from last week settled in, health IT and security experts further weighed in on the charged discussions surrounding healthcare cyber security and whether Anthem was adequately prepared for the attack.

It was quickly noted in security circles that the insurer had failed to encrypt its data on some 80 million customers and employees who had their names, Social Security numbers, addresses and other information stolen.

On the surface, that might be cause to criticize Anthem, but several prominent voices came to its defense. Fred Trotter, a noted health IT journalist, had this take today:

“Anthem was right, and the Internet is wrong. Or at least, Anthem should be ‘presumed innocent’ on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions.”

Anthem itself put out several statements from experts who weighed in with similar thoughts.

“I have no doubt that Anthem has a fairly sophisticated security organization. This basically proves that it doesn’t matter how big you are or how much money you spend, and how diligent you are at protecting your data, you can still have an incident,” Mac McMillan, a healthcare security expert and founder of CynergisTek, told Modern Healthcare. “Everybody could have a breach.”

Trotter goes on to say encryption is not always helpful, and the initial focus by reporters on that element misses a larger point.

“They presume that encrypted records are always more secure than unencrypted records, which is simplistic and untrue.Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking.”

Other experts pointed out that the use of Social Security numbers is an antiquated and insecure practice in a digital age. Whether the healthcare and insurance industries act on that notion, and perhaps develop a new type of ID mechanism for health records, remains to be seen, but it’s certainly an intriguing idea that is sure to resonate with some.

But, as Trotter notes, there’s the matter of accessibility under HIPAA, and Robert Neivert, COO of consumer privacy company Private Me, similarly noted that convenience and security have yet to reach an ideal balance when it comes to healthcare data.

“Anthem has a responsibility, under HIPAA, to ensure that records remain accessible,” Trotter notes. “That is much easier to do with unencrypted data. The fact that this data was not encrypted means very little. There is little that would have stopped a hacker with the level of access that these hackers achieved. Encryption probably would not have helped.”

So far, early signs point to sophisticated foreign hackers, possibly from China. It’s also been noted that whoever hacked the data from Anthem stands to make a handsome profit on the black market.

“A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each,” according to a report from PwC.

Interesting. Stay tuned.

Shares0
Shares0