“I read the news today, oh boy.” John Lennon and Paul McCartney could not have imagined how their iconic lyric from their song “A Day in the Life” would resonate in the healthcare security field after the Premera Blue Cross data breach brought the number of patients affected by cyber attacks (at least those of which we know) into almost nine figures. The Anthem breach affected an estimated 80 million subscribers and the attack on Community Health Systems resulted in the release of information of an estimated 4.5 million subscribers. Each week, it seems, brings tales of woe to those who hold their medical information to be the most private of all data (that, of course, would be most of us).
The themes of these healthcare breaches strike familiar chords: No medical treatment records were released, though a great deal of personal information was accessed including, in the Premera attack, bank information. Each attack is believed to have been perpetrated by attackers with ties to China (though this has not been conclusively established). And in each case the breach was not discovered until months after the attackers were in the systems, and not disclosed until months after the discovery. The attack on Premera is believed to have occurred in May of 2014 but not discovered until January of 2015, and not disclosed until March 17, 2015.
There are, then, two identical though perhaps dissonant chords that may prove to be a clarion call for enhanced government action. First, one must ask how effective and current these health plans’ malware detection and prevention software was if the intruders managed to stay in their networks for months without being located and removed. Second, why did it take an additional period of months to notify government and subscribers? It’s possible that there was a need to lock down the systems before anything was made public, but that rationale may ring hollow to subscribers concerned about the risks of identity theft and other consequences of the breaches.
In financial services, the SEC and the New York Division of Financial Services have begun audits and examinations that ask, among other things, the level of malware detection and prevention, and the result of the most recent vulnerability assessments. Auditors with similar questions from the U.S. Department of Health and Human Services, or a state’s Department of Health or Attorney General, will undoubtedly visit a health plan near you shortly. Maybe then healthcare plan subscribers (almost all of us, as per the Affordable Care Act), won’t dread to read the news in the morning.
For more information on cyberattack prevention and response, please call Kenneth N. Rashbaum.