Whether Excellus BlueCross BlueShield learned that it had suffered a cyber attack because the organization or a contractor was looking for signs of hacking, or learned from a law enforcement agency is not clear, as the company isn’t saying much about the incident outside of formal announcements.

But Mac McMillan, CEO at the privacy, security and compliance consultancy CynergisTek, believes there is a good chance that the company was being proactive. Since Blues plans started getting hacked, word has gotten out that plans need to get their act together and do forensic analysis, he says. But he wonders the degree to which other health insurers are being proactive.

Also See: 10 Million People Impacted by Data Breach at Excellus BCBS

What really bothers McMillan is the industry obsession, forced upon by the federal government to make sure that the I’s are being dotted and the T’s are being crossed on all the compliance requirements of HIPAA. “We’re focusing on HIPAA at the expense of just improving security,” he laments.

So, organizations are making sure all information systems users are ID’d and have passwords, thus complying with HIPAA, but they aren’t checking that the passwords are strong and regularly changed because the focus is on meeting compliance standards rather than what security steps and technologies need to be implemented.

Further, HIPAA still makes the use of data encryption addressable, and because of fears that encrypting data will slow operations, organizations continue to justify not encrypting. McMillan understands that IT users would be upset by reduced data processing speeds but asks a question: “Well, how upset are you when you have an 80-million record breach?” That was the approximate size of Anthem’s hack earlier this year.

In the age of cyber attacks, organizations still often find other areas of higher priority than security; McMillan recently talked to a COO who didn’t appreciate the immediate need to improve security until his organization got hit. “How is it that somebody camps out in your network for nine months, 12 months or longer, and you have no idea that they are there, then they take your data and you have no clue they did it? We’re not actively monitoring.”

Healthcare organizations need to get serious about prevention by managing and limiting access, having good firewall rules and encrypting devices and data, McMillan counsels. They need detection technology actively running on the network perimeter and also watching inside the network for non-normal communications occurring. And they need, in place, procedures and appropriate remediation services to clean a network and recover before an attack occurs.

Organizations also must start to segment their network because so many people are on the network these days, McMillan advises. Put critical data on segmented parts of the network that are not as accessible as the rest of the network, which gives more access control and puts the data behind another firewall.

And, organizations need to start employing common sense to encrypt data at risk. Yes, there may be an impact to processing speeds. The healthcare industry must get over wanting to let data be very easy to access to care for patients—those days are over, MacMillan contends.

There also are no-brainer data protections not being utilized. Hospitals, physician practices and insurers have long-term storage servers and antiquated information systems lying around that still hold protected health information and are still connected to the Internet. “This is data that can and should be encrypted,” he says. “Further, outsource monitoring of login information—organizations simply can’t do it on their own because there’s just too much of it. So give the job to outside professionals with trained analysts constantly looking for warning signs 24 hours a day.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access