On the heels of the massive hack at Anthem, insurers across the country are stepping up efforts to protect patient and consumer data, while online security experts pointed out that Anthem failed to encrypt its data. At the same time, fundamental ideas on data storage and protection, including the use of Social Security numbers as an ID mechanism, need to evolve to more sophisticated and secure methods, even it means less efficiency for the sake of privacy.
Personal information for some 80 million customers and employees was hacked at Anthem, making it the largest breach this year and one of the largest over the last 12 months, during which dozens of high-profile breaches occurred across the healthcare system.
While security experts said Anthem and numerous other healthcare organizations over the last year could have provided better security, the fundamental notion of using Social Security numbers as an ID mechanism is coming under scrutiny, not just in healthcare but on a broader government level, according to Robert Neivert, COO of consumer privacy company Private Me. He also noted that the push toward efficiency in healthcare has led to less-than-ideal data storage practices that make organizations further vulnerable.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
“What you actually end up having to do is not put all of your data in one place,” Neivert said. “You basically need to break it up. This is expensive and it also breaks the idea of big data. You end up having to break your data into protection levels, which makes it more expensive to do business.”
Although it’s been noted that Anthem did not encrypt its data, numerous security experts said the insurer did take industry-accepted security measures.
Anthem is “operating in a realm of best practices… They are in that zone. What we want to see is both a constant application and a high set of standards,” John Podesta, counselor to President Obama, told Bloomberg.
At Aetna, spokeswoman Anjie Coplin said the insurer was stepping up security efforts, including examining the use of Social Security numbers as they relate to identification for healthcare and insurance purposes.
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
“We closely follow the technical details of every breach that’s reported to look for opportunities to continually improve our own IT security program and the health sector’s information protection practices broadly,” she said. “This latest incident highlights the ongoing need for the health sector to move to a model that relies less on Social Security numbers. SSNs are highly marketable and valuable to hackers, and have been a standard part of the health care system for decades. The less SSNs are handled as part of business transactions, the smaller the opportunity that they can be exploited by hackers.”
With Anthem being the second largest insurer in the country, other carriers took quick notice and said they were taking measures to blunt any attack on themselves.
At Connecticut-based Cigna, spokesman Joe Mondy told MedCity News “yes Cigna encrypts its patient/consumer data.” He added:
“Cigna recognizes that the healthcare industry is a potential target for cybersecurity threats – and we take the safeguarding of our customer and business information very seriously. We are closely monitoring this situation.. We have multiple system products that detect, log, and alert us to suspicious traffic. And Cigna computers have security software installed, and can only connect to our network when they’re running the latest anti-virus software and definitions..”
For its part, Indianapolis-based Anthem today issued an alert for affected customers after many reportedly were targeted by email phishing scams, urging people not to reply to suspicious emails and to not download any attachments.
The stolen information did not include medical or credit card information, Anthem said, but names, birth dates, Social Security numbers, addresses and member IDs were taken, all of which could be valuable for cyber thieves.
Security experts, meanwhile, largely noted that the data was not encrypted and offered context on what is just the latest hack or data breach in healthcare. One key issue is the fact that healthcare organizations are often huge and collect massive troves of data, but security remains a challenge.
“The ability of healthcare companies to compile data has grown faster than their ability to protect it,” Alan Sager, a health policy professor at Boston University, told the Los Angeles Times.
A spokesman for Humana, the largest insurer in the nation, simply said that, yes, it encrypts its data.
Blue Shield of California, which is not affiliated with Anthem, declined to comment on questions of security efforts in lieu of Anthem’s breach. It did, however, release a statement that sought to clear up any confusion over its relationship with Anthem.
“Blue Shield of California is aware of the Anthem Inc. cyber-attack and we are working to gather more information and understand the scope of this issue,” the San Francisco-based insurer said. “In California, Anthem Blue Cross is separate and independent from Blue Shield of California, though some members could be affected due to various collaborative agreements between Blue Plans throughout the country.”
Neiver, of Private Me, said the issue of using Social Security numbers goes beyond healthcare and speaks to the governmental practices as a whole. Ultimately, it’s just not a very sophisticated approach in the digital age.
“On the government side, Social Security numbers are a problem,” he said, adding that both government and healthcare should take a chapter out of the online banking sector by adopting closed-network systems.
For both consumers and healthcare organizations, that means sacrificing convenience for the sake of security, a notion that may not sit well with either as the health system looks toward digital technologies that can help it achieve efficiency.
“There is this constant push and pull, and we’ve been pushing the healthcare system to be more convenient, and security got compromised,” he said. “It shouldn’t have been designed that way at all,” he continued, referring to how basic consumer data has been stored by healthcare organizations. “It should have been chopped up and put into many places. It’s a lot more secure, but there’s an inconvenience. The user has to be conscious of that.”
The industry is likely headed that way, but in the near term, one thing is certain: hacks and data breaches are likely to continue.
“This is not going to go away,” he said. “Unless there is a major change, we are going to keep seeing it.”
