After the Anthem breach: How we can help secure health data

The Anthem breach was inevitable, once you understand what’s going on in healthcare security and technology

heatlhcare doctor
Credit: Reuters

In the absence of context, the Anthem breach may seem baffling or inexcusable: Why would anyone steal data from a healthcare business? Why weren’t they monitoring their data more carefully?

But with a better understanding of what’s going on in healthcare security and technology right now, you can see why this was inevitable – and better still, how we can help healthcare businesses avoid such problems in the future.

Purchasing decisions from a decade ago cause headaches

There are a few things that healthcare businesses are dealing with that are beyond the regular security pains of other types of businesses. One of the biggest problems is that in many cases their computing environments are stuck in a time warp of antiquated systems and interoperability issues that make securing data incredibly difficult. Problems that the rest of us may feel were solved in the 20th century are still a problem for those in the healthcare industry.

You know how hard it can be to get approval to update that five-year-old laptop you’ve got for work? Imagine how much harder it would be if that laptop cost a million dollars to replace. Because of that, medical machines are designed to be used for over a decade. Many of them were built to use a version of Windows, which means many of them are still running Windows XP or earlier.

And the operating systems are not the only software that is often a decade out of date. As the FDA has stringent restrictions on the modification of medical devices, many companies mistakenly fear that they will run afoul of regulations if they update software on machines used for medical purposes. This fear also extends to adding new software, which means many medical machines are not running security software. Even if healthcare practitioners understand that they are permitted to update in a timely fashion, they may have proprietary software that requires legacy software to function.

If you were around in the bad old days of early word processors, you may remember the incredible gyrations that were once necessary to share documents. Forget about sharing documents between operating systems, just sharing between two different programs was difficult enough – it was often difficult to share between two version levels of the same program. That’s where many medical data processing programs are now. But they’re not just dealing with different programs for simple text and formatting. These programs are also likely to have data from check boxes, radio buttons and drop-down menus, which may not export neatly into text.

There have been efforts to try to standardize medical information for decades, but it hasn’t really taken hold yet. Different departments within one hospital or clinic may even have completely different standards. This gives rise to problems with sharing data and with securing it either in storage or in transit. If businesses were not able to guess correctly what the future would hold, they’re now stuck with the pain of trying to secure an environment that is very much ripe for the picking.

Criminals’ playground

In the midst of this environment full of unsecured machines, there is also a wealth of incredibly valuable data. Not only do they have patients’ payment card information, they likely have Social Security Numbers (SSN), medical ID numbers, as well as the usual variety of personally identifying information including name, email and physical address, and phone number. Because of this, breaches at medical businesses are the largest and fastest growing category of data breach with over 42 percent of all breaches in 2014. And the consequences are potentially higher: SSN theft may require vigilance for the rest of the victim’s life, as this is not something that is easily replaced. Medical ID theft may lead to fraud that is potentially life threatening, as it may add errors to the victim’s medical history.

Taking Action

After reading this, you may be wondering what you – a security expert – can do to help this situation. The answer is simple: Talk to people working in healthcare. For instance, attend or speak at healthcare IT conferences if you can. Or you can join a healthcare tweet chat. Read and comment on forums, sites or tweets focusing on security and privacy in healthcare. There is a huge need for security expertise in healthcare, and the desire for this information is only going to continue to grow.

I attended my first healthcare IT conference last year, HIMSS. That opened my eyes in a way I’d not experienced since my first security conferences over a decade ago. We security wonks can often get stuck in a bit of an echo chamber, attending only security-centric events. Seeing how other industries perceive security gave me new perspective for how we can improve our approach and make a difference outside of our own comfort zone.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.