Last week's data breach of 80 million records at Anthem offers further proof that we live in the age of the data breach. This latest occurrence-one of the largest in the past 12 months--underscores the lack of security measures in healthcare and the need for mandatory standards.
The customer records at the second-largest health insurer weren't encrypted, resulting in the theft of names, birthdays, medical IDs, Social Security numbers, home addresses, email addresses, and employment information including income. While the Anthem breach likely weakens consumer confidence, it also uncovers a systemic problem in the healthcare space: Insurers aren't required to encrypt its consumer data.
Many companies in the space still rely on standards set by 1990s' HIPAA, which encourages encryption, but doesn't require it. As the medical industry ramps up the practice of sharing medical records, the latest attack could further erode consumer confidence.
Late Friday, the Senate Health, Education, Labor, and Pensions committee said it's planning to examine encryption requirements as part of a bipartisan review of health information security.
But while encryption is one important measure, so is the need to rely less on Social Security numbers. As Gartner Distinguished Analyst Avivah Litan highlights in this blog, healthcare needs surrogate values (tokens) for social security numbers so the SSN numbers themselves are not required to uniquely identify people for all the myriad purposes that healthcare insurers use them for.
Litan points to Visa and MasterCard which developed good tokenization standard for credit cards that ApplePay is the first to use. Other experts say healthcare must take a cue from online banking, which has adopted closed-network systems.
Whatever the solution may be, healthcare providers can no longer count on defending themselves with tools like firewalls and antivirus software. Unfortunately, many healthcare companies face "compliance fatigue." By the time they meet their regulatory requirements, they tend to take an ad-hoc approach to other critical areas that can cause real damage if not protected.