It didn’t take long – just over a week and the lawyers are already in on the action, assisting victims of the Anthem (Anthem.com) health care breach earlier this month. Healthcare is recognized as a prime target, as 44% of all registered data breaches in 2013 targeted medical care companies. Healthcare data is high risk, since medical records contain a number of personal identifiers that can be used to obtain pharmaceuticals, and even medical care for those who would be otherwise ineligible. Cyber criminals are after patients’ identities, payment information, and even data from medical monitoring devices.
With 80 million healthcare user records compromised in the Anthem breach, government officials are considering whether HIPAA compliance should require encryption. However, encryption alone may not have prevented this attack, and many organizations are now re-evaluating their security policies and strategies.
Environments at Risk
While the Anthem breach likely occurred within their on premise infrastructure, with 83% of healthcare organizations currently using some cloud services, all cloud and hybrid environments are potentially at risk. While the precise cause of the Anthem attack has yet to be disclosed, considerable employee access to sensitive data may be a contributor to the extent of the breach.
The cloud has long suffered from the stigma that it is less secure than onsite data centers. However, just because you can walk around your data center does not mean that your servers are more protected. In fact, given that more personnel have physical access to onsite servers can in itself indicate an increased risk. As the Anthem (Anthem.com) incident has shown, safeguarding data depends more upon access protocols and testable firewalls than on the physical location of the data.
Best Practices for Healthcare IT
So how can healthcare organizations protect themselves from internal and external attacks? Best practices, for cloud, hybrid and on premise environments involve protecting both the data and access to the data. Proven encryption technologies should be invoked to protect sensitive personal and medical data at rest and in transit.
Encrypting the data is just part of the process, the next step is to ensure that only those who should be accessing the data are able to reach it. A correct access management policy differentiates between groups of users to demarcate who can gain access to the various system components. Strong access management requires two-factor authentication (2FA), which adds a second level of authentication beyond the basic user and password to prevent identity theft. In addition, accurate logging and alerts assist in uncovering security issues and patterns.
At 40Cloud we understand that security and compliance are at the top of the list for healthcare service providers. Our HIPAA compliant, scalable solution unites and encrypts bi-directional data transfer between facilities and devices, integrates identity and access management and allows automation of security and network configurations.