In the wake of the recent data breach of Anthem Healthcare, which is believed to have compromised at least 80 million healthcare records, there is a need to re-examine security measures that merely meet baseline compliance needs, as opposed to those that may have a real impact on security. "There are three changes that every healthcare institution needs to make" says Dan Munro on Forbes.com:
"The first is around the culture of security. What every healthcare institution is in the process of learning is that HIPAA “compliance” isn’t data/network level security.
There is no such thing as being “HIPAA Certified” in cloud computing. Many hosting providers claim “HIPAA Compliance,” but they put the burden of any audits and assessments directly on their clients. The only hard evidence of best practices around security and privacy is a third party audit that is based on HHS’ Office of Civil Rights (OCR) Audit Protocol ‒ the same audit criteria that OCR uses for their audits. For us, this is more than just adherence to legislation, it’s a part of our company culture around protecting what we know to be our customers most valuable assets ‒ patient information. Mike Klein ‒ Co‒CEO of Online Tech, Inc. – Is Anyone Really ‘HIPAA Compliant’ In Healthcare?
The second change is in securing the data itself. Healthcare enterprises need to establish airtight policies for encrypting all data both in transit and at rest.
Right now, attackers have the advantage. They know that all they have to do is pierce the porous perimeter of a typical large enterprise and they will find millions of records stored insecurely. We need every organization to implement full encryption for both data in transit and at rest and we need to redouble our efforts investing in new perimeter defense technologies. The traditional signature based detection model is no longer sufficient on its own. Marc Rogers ‒ Principal Security Researcher, CloudFlare
The third big change ‒ and technically the hardest ‒ is to abandon the almost ubiquitous use of social security numbers as a customer identifier across so much of healthcare.
This breach is different from any other recent cyber attack. The previous breaches were focused on stealing credit card data for quick cash. These thieves just built a stockpile of your social security numbers and income to use as part of a longer term strategy to steal your identity. As a cyber security expert, it frustrates me that companies are still using social security numbers as a customer identifier. If we want to talk about new cybersecurity laws, we should require all businesses and government organizations to simply stop using them. Theresa Payton ‒ CEO of Fortalice Solutions and former White House CIO"