Health claims data tempts cyber hackersReprints
If 2014 was the year that cyber thieves attacked retailers, 2015 has reminded the health care industry that it is a target as well.
And the claims data that health insurers keep in their systems is in some ways more tempting to cyber hackers than the financial data collected by retailers.
The February disclosure by the nation's second-largest health insurer, Anthem Inc., that it had suffered a data breach affecting about 80 million customers and employees has convinced many experts that medical claims and billing data is the top personal information targeted by cyber criminals. In mid-March, Premera Blue Cross said a cyber attack had gained Social Security numbers and dates of birth of 11 million of its customers.
“The reality is that claims data has a lot of information that thieves find useful,” said David Lundal, Chicago-based system vice president and chief of information services for Presence Health, which has 12 hospitals and other health care facilities in the Illinois-based Catholic health system as a result of the 2011 merger of Provena Health and Resurrection Health Care.
One reason cyber thieves target medical data is that, unlike credit card numbers, Social Security numbers and dates of birth are not likely to change.
“Financial data is generally temporal and can easily be changed,” said Dena Magyar, Charlotte, North Carolina-based national practice leader at Wells Fargo Insurance Services USA Inc.'s technology, privacy and network risk practice. “However, there is great longevity to your personal health information, and that's what makes it so valuable to criminals. Thieves will hang on to Social Security numbers because they know that they become more useful the farther in time you go from the data privacy event.”
In addition to using the data to open credit cards, thieves can use stolen medical information to receive health care procedures, including expensive surgeries, experts note.
There is a perception among data thieves that health care providers are soft targets, Mr. Lundal said.
Several experts say health care providers have not been as proactive as other industries in adopting technology to battle cyber threats.
Paula Knippa, an Austin, Texas-based attorney at Slack & Davis L.L.P., is representing plaintiffs in a class action lawsuit filed against Franklin, Tennessee-based hospital operator Community Health Systems Inc., which acknowledged last June that hackers exposed 4.5 million of its patient records.
Community Health owns, operates and leases more than 200 hospitals in 29 states, according to its website.
“There is a concern that the health care industry is not taking cyber security very seriously,” Ms. Knippa said. Hackers are thought to have gained access to Community Health's data when a server intended for testing was accidentally hooked up to the Internet.
Community Health did not return calls seeking comment.
All stakeholders in the medical claims process from providers to insurers to third-party administrators need to reassess their approach to data security, experts say.
Ann Patterson, Washington-based senior vice president and program director at the Medical Identity Fraud Alliance, said security personnel need to move from protecting data to comply with the Health Insurance Portability and Accountability Act to a more proactive approach.
“Your primary goal may be to provide health care, but digital protection measures need to
be part of the industry's psyche and fabric,” Ms. Patterson said. “We need to start building this mentality
To better secure data, companies need to assume that thieves are inside a company's firewall, said Robert Jackson, Memphis, Tennessee-based chief information security officer at Sedgwick Claims Management Services Inc.
“Security professionals really need to rethink the layers of security,” he said, noting that hackers gaining control of an administrative password is believed to have furthered the Anthem breach.“You also have to really rethink the controlling of access. Passwords are not cutting it.”
Though many technologies exist to address data security, companies should also embrace process-driven reforms such as use of two-factor authentication, Mr. Jackson said.
“The financial services industry has been using two-factor authentication for the better part of a decade,” he said. “The health care industry needs to embrace it quickly.”
Ms. Magyar agreed that a data security approach that focuses on technology at the expense of people and processes will not be effective.
“From a non-IT perspective, you can get the most bang for your buck by implementing very simple employee awareness training,” she said.
“Every person in a health care organization from the CEO on down needs to understand that they have a personal responsibility to protect data,” she said.