The Anthem breach: Lessons for radiology?

 - privacy and security

Last week health insurer Anthem announced that hackers had accessed a database containing the personal information of up to 80 million people.

The insurer reported that the breach exposed names, birthdays, addresses and social security numbers and that it’s likely that tens of millions of records were stolen. Anthem isn’t sure how the breach occurred, but said it was the target of a “very sophisticated external cybertattack.”

It likely is the largest data breach ever disclosed by a healthcare company, but does it have implications for radiology practice?

Radiology practices certainly haven’t been immune to data breaches. In fact, one of the larger data breaches was reported by Seacoast Radiology in Rochester, N.H. in 2010. In that case, gamers looking for increased bandwidth to play a computer game accessed a server storing the protected information of more than 200,000 of Seacoast’s patients.

Now that the Anthem breach has been reported, cybercriminals have launched “phishing” campaigns in an attempt to lure affected individuals to reveal their personal information.  As reported in this blog from the Federal Trade Commission, phony emails designed to look as if they come from Anthem are asking recipients to click on a link to get free credit monitoring or credit card protection.

“I think everyone in the healthcare space is absolutely a target right now,” said David Kennedy, founder and CEO of TrustedSec. “Attackers [have a] few different motives—if it’s state sponsored (or more government centric hacking)—a radiology organization may be attacked based on the data or research they are performing. For underground hackers, most specifically on the medical fraud piece, any type of information around medical records and/or personally identifiable information is highly beneficial to be sold.” 

Physician practices have been "pretty lax over the years when it comes to issues of security,” said Joe Moore, chief information officer at Radiology Consultants of Iowa. “There’s no question about that.” The Anthem breach may get some of these practices to sit up and take notice about security issues, Moore said, but reacting to threats after they’ve occurred, “isn’t a model you can operate under these days.”

As for the specifics of the Anthem breach, Moore said that he’d like to know more about how the breach occurred. As a moderately-sized practice with 36 radiologists, “we may not be as vulnerable or as juicy a target as Anthem because we don’t have their volume of data,” he said. “But we have to take what happened to them very seriously.” So that’s why it’s important, he added, to understand exactly what happened to Anthem to assess whether his practice has any underlying vulnerabilities that need to be addressed.

What is critical, Moore said, is to have a ongoing program in place regarding security and privacy issues, and to be committed as an organization to ensuring that these issues are a priority.

“We spend money on our quality infrastructure, whether it’s on our network switches, firewalls or security,” he said. “We side with quality rather than strictly maximizing revenue.”

And that’s important, because the consequences of a breach can be significant. “I’m quite interested to see what will be the fallout for [Anthem],” Moore said. “That’s a huge number of patients that had their information compromised.”