The March 17 announcement of a cyberattack at Premera Blue Cross that could impact as many as 11 million people would come as no surprise to the healthcare security officers who participated in a roundtable discussion earlier in the day at the National HIPAA Summit in Washington, D.C.
Gregory Barnes, chief information security officer at Horizon Blue Cross Blue Shield of New Jersey, said defense against such attacks required more collaboration. “One of the things we in the healthcare space may have failed to do in the past is actively collaborate in common defense. We have just started to do it with the national healthcare ISAC (information sharing and analysis center),” he said.
Barnes said cyberattacks like Anthem’s and now Premera’s are a wakeup call for the nation. “We are just realizing we have been at war for five years and didn’t know it.”
Mark Combs, assistant vice president and assistant chief information officer at West Virginia United Health System Inc. and former chief information security officer at West Virginia University Hospitals, agreed that collaboration is important in response to sophisticated attacks. But he stressed the need to improve in-house defenses and culture. “We have to do a better job of auditing and reviewing logs, educating staff, and reviewing policies and procedures,” he said. “It is about creating a culture, starting with policies as the floor and foundation. We have to set the expectations and train on those. We have to make sure legal, human resources, privacy and security are part of the team. Then you do risk assessments and create an iterative process and feedback loop, and keep building on top of that. That was how our program was built.”
Kathy Jobes, chief information security officer, at Sentara Healthcare and former enterprise information security officer at Bon Secours Health System, said Sentara has embarked on is train-the-trainer program. “We have gone to facility-level leadership to empower them to deliver the message, so that it is not always security or compliance saying it,” she said. “We started by enlisting the support of physicians to train other physicians, and it was successful.”
Dennis Schmidt, director of the Office of Information Systems and HIPAA security officer in the School of Medicine at the University of North Carolina at Chapel Hill, said he has to worry about criminals targeting intellectual property as well as medical and financial data. He said his organization recently dealt with a targeted spear phishing attempt. The message came from the address of a real person in Australia and was targeted at a specific researcher. It asked him to give permission to share his work by clicking a button. But he found it suspicious. When they investigated, they found it actually redirected to a page in India. The spear phishers were trying to steal the researcher's log-in and credentials.
Schmidt said his organization also has had to deal with breaches that made the news. “In almost every case it involved old data that people weren’t using anymore but that had Social Security numbers in it,” he said, adding that UNC is in the process of using an application called Identity Finder on every bit of storage on campus, starting with end points first.
Horizon Blue Cross Blue Shield of New Jersey’s Barnes reiterated that the most pressing concern for health systems is their own people. “For James Carville and Bill Clinton, the saying was, ‘it’s the economy, stupid.’ For us, it is the people, stupid. They are important to our defense and protection.”
