Anthem Attack could have been avoided from hack
80 million consumers are at risk because Anthem did not fully protect their personal data. Anthem was just the latest in a long list of companies hacked by cyber criminals. Full encryption of data during export and while being stored would have severely limited the HIPAA-protected information hackers could access.
Anthem spokeswoman Kristin Binns told the Associated Press, “The hacker had a system administrator's ID and password, which would have made encryption a moot point." She went on to add that the company normally encrypts data that is exported.
Both statements raise many questions. First, encryption done properly is never a "moot" point. It is vital to encrypt all data that contains sensitive personal health information. In 2015, when encryption is so easy and inexpensive to provide, there should never be a question of whether a company will encrypt data. Organizations that are still on the fence need to lock their systems down now!
Second, Anthem does encrypt exported data. But what about when the data is being stored? Companies often only provide minimum protection that only conveys, "move on, nothing to see here" – hoping the hackers will simply pass them by.
This security plan is like giving a hacker a key to a gigantic shopping mall. The key allows the hacker to gain access into every single store, bypassing their additional locks and alarm systems. The hacker can basically rob the entire mall blind while everyone is sleeping.
A September 2014 Forrester research report stated that just over half of healthcare employees (59 percent) use full-disk encryption or file-level encryption on computing devices at work. With such slow adoption of these security practices by the healthcare industry, federal officials are now reviewing whether HIPAA laws should include encryption requirements.
MEDIPROCITY encrypts all data, at all times -- in transit, and at rest and on all mobile devices. If our customers suffer a cyber security breach they can say that all of their data was fully protected rather than explain to regulators, lawyers and the public that they “thought” they were secure.
So the question is, what does your organization do when it comes to securing communication in the office and on mobile devices? Is your company next in line to be hacked? What will you say to your customers when their social security numbers, financial records and personal information are used to hijack their lives?
Protect your company and your customers.