The massive Anthem data breach reported last month has been having a ripple effect throughout the healthcare industry. Security experts offer five steps to take now.
Worries about data security have been piling up in the minds of CIOs the past three weeks like record-setting snows falling on New England.
"Security is an incredibly hot topic," says Marc Probst, chief information officer at Intermountain Healthcare. "Anthem takes it to a whole new level of consciousness."
Probst, of course, is referring to revelations last month that Anthem suffered a breach of 80 million member and employee records. Since the revelations, healthcare and related organizations have been subjected to an unprecedented number of scams and schemes, as bad guys, armed with names, social security numbers, and income data have tried to defraud insurance companies of various benefits, including bogus workman's comp claims.
Due to the interconnectedness of healthcare, this means that the Anthem breach has been having a ripple effect throughout most of U.S. healthcare, and that has Probst, other security consultants, and even trade associations such as HIMSS sounding the alarm as never before.
It's hard for them to even be heard among the noise of an entire industry of security vendors and consultants seeing dollar signs, and the whole thing threatens to dissolve into a constant drone of background warnings and whining. So what can really be done?
Here are five concrete suggestions.
1. Update SSL Certificates
After talking to consultants such as CynergisTek's Mac McMillan and email security expert Hoala Greevy, I would recommend that every organization visit the SSL Labs Web site to see if its SSL certificates are up to date and that it is running the latest version of SSL/TLS to enable trusted, encrypted secure transactions over the Internet.
As Data Breaches Spread, Providers and Payers Must Prepare
There's no indication that out-of-date SSL/TLS code led to the Anthem breach, but not addressing this defect could cause potential provider or payer partners to doubt your sincerity about at least locking the doors and closing the windows on your digital domains, even if you've got stronger measures working somewhere inside.
"If [potential partners] run that scan, they would get an appreciation for whether or not that person that they're getting ready to connect could potentially be a vulnerability, a back door into their environment," McMillan says.
In my own informal survey, I found several major payers who currently receive an "F" grade from SSL Labs for running an outdated version of SSL or for possessing a vulnerability to attacks. In response, one payer says that the SSL Labs test doesn't actually show the defense-in-depth capabilities of a Web site that would prevent attackers from getting very far despite the reported SSL vulnerability.
Still, McMillan says, "when we go in and test hospitals, we routinely find old SSL certificates, old versions of SSL. They just don't keep up. It's very common to find two or three different versions of SSL in their environment and more than half of them are obsolete."
2. Adopt the DMARC Standard
It is time for healthcare as an industry to adopt the Domain Message Authentication Reporting, or DMARC standard. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.
Using DMARC, senders will experience consistent authentication results for their messages at various email providers, and experts tell me it greatly reduces the odds of phishing attacks from being launched from outside or from within healthcare organizations.
A recent survey by one DMARC security company, which scanned myriad email headers, reported that that emails which appear to be from healthcare companies are four times more likely to be fraudulent when compared to social media companies, due to healthcare's lagging adoption of DMARC.
Here too, we don't know if failure to act contributed to the Anthem breach. But since these attacks appear to be more sophisticated than yesterday's simplistic security-certificate and phishing attacks, the healthcare industry can't stop there.
3. Reconsider the Penalties
Policy makers in Washington, starting with ONC, need to consider whether current statutes, which throw the penalty book at organizations for data breaches, are in fact exacerbating the problem and robbing these organizations of the very resources they need to boost their security efforts.
"Currently the government's practice is one of, 'we're just going to penalize the providers and payers any time a breach occurs or if we find some kind of a deficiency within that organization,'" Probst says.
"I understand why they do that, but given the breadth of what's happening, given the fact that the DoD's been hacked, wouldn't it be a nice time to change the focus from that massive stick—lots of time spent justifying why you did or didn't do what you did—to one of, 'how do we work together to solve the problem?'"
4. Communicate Better and Sooner
As we are rethinking the carrot-and-stick approach, it's time for healthcare to have a real-time mechanism for disseminating threat data to healthcare organizations.
"That's a real challenge," says Lisa Gallagher, vice president of technology solutions at HIMSS. "If we're going to expect that healthcare organizations are going to be looking at four or five different sources of threat data, it's not going to work."
Organizations such as CERT and the members-only HITRUST group provide some insights, and a myriad of security companies will promise to bring threats to your attention faster and better than anyone else will, but providers don't have time or resources to check half a dozen sources daily.
They need a single source, and that source needs to efficiently disseminate not just the findings of healthcare organizations, but of the top security agencies in the US, including the NSA and the FBI.
5. Address Encryption and Access Control
Healthcare needs to have a conversation about encryption and access control. It's cost-prohibitive to encrypt everything, which is why it isn't a ubiquitous practice. Anthem has taken some knocks for not encrypting its 80 million records, but typically, data centers haven't encrypted at that scale.
Access control is offered as an alternative of sorts, the thinking being, if a bad guy does get in, the credentials he steals or spoofs should only allow him to get at a smaller number of unencrypted records, not 80 million. Data loss prevention technology can at least tell executives how much data is going out the door, and escalate alarms while a breach is in progress.
Finally, everyone going to HIMSS next month should visit the show's new Cyber Security Command Center, a nice complement to the Interoperability Showcase, to quiz their cybersecurity knowledge. Even once we know what caused the Anthem breach, security is going to remain everyone's problem for a long time to come.
Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.