As news of Anthems massive hack from last week settled in, health IT and security experts further weighed in on the charged discussions surrounding healthcare cyber security and whether Anthem was adequately prepared for the attack. <\/p>\n
It was quickly noted in security circles that the insurer had failed to encrypt its data on some 80 million customers and employees who had their names, Social Security numbers, addresses and other information stolen. <\/p>\n
On the surface, that might be cause to criticize Anthem, but several prominent voices came to its defense. Fred Trotter, a noted health IT journalist, had this take today: <\/p>\n
Anthem was right, and the Internet is wrong. Or at least, Anthem should be presumed innocent on the issue. More importantly, by creating buzz around this issue, reporters are missing the real story: that multinational hacking forces are targeting large healthcare institutions. <\/p>\n
Anthem itself put out several statements from experts who weighed in with similar thoughts. <\/p>\n
I have no doubt that Anthem has a fairly sophisticated security organization. This basically proves that it doesnt matter how big you are or how much money you spend, and how diligent you are at protecting your data, you can still have an incident, Mac McMillan, a healthcare security expert and founder of CynergisTek, told Modern Healthcare. Everybody could have a breach. <\/p>\n
Trotter goes on to say encryption is not always helpful, and the initial focus by reporters on that element misses a larger point. <\/p>\n
They presume that encrypted records are always more secure than encrypted records, which is simplistic and untrue.Encryption is a mechanism that ensures that data is useless without a key, much in the same way that your car is made useless without a car key. Given this analogy, what has apparently happened to Anthem is the security equivalent to a car-jacking. <\/p>\n
Other experts pointed out that the use of Social Security numbers is an antiquated and insecure in a digital age. Whether the healthcare and insurance industries act on that notion, and perhaps develop a new type of ID mechanism for health records, remains to be seen, but its certainly an intriguing idea. <\/p>\n
But, as Trotter note, theres the matter of accessibility under HIPAA, and Robert Neivert, COO of consumer privacy company Private Me, similarly noted that convenience and security have yet to reach an ideal balance when it comes to healthcare data. <\/p>\n
<\/p>\n