Data breaches have become commonplace in our ever-connected world. However, there’s one industry that seems to have been hit the hardest when it comes to cyber attacks and data scares: the healthcare industry. In the course of only a few years, tens of millions of people with information in healthcare databases have fallen victim to data theft in some of the country’s biggest healthcare data breaches ever.
While your business probably doesn’t contain data that will put half the nation at risk, the mistakes the healthcare industry made are no different than the mistakes a business like yours can make when it comes to technology and security. Take some time to learn from several small mistakes that nearly took down some industry giants.
When it was announced in September 2015 that hackers had gained access to the data of 10.5 million Excellus customers and vendors, the damage had already been done. Hackers had avoided detection for over 20 months.
Lawsuits mounted against Excellus as customers worried about identity theft. Of special concern were the numerous minors Excellus kept data on, as child identity theft is much harder to detect than it would be for an adult.
What Went Wrong? Despite having nearly two years to detect the hack, Excellus officials could not say for certain what caused the breach. Third-party experts, on the other hand, attributed the data breach to a phishing scheme where a malicious party gained access to internal computer systems. This can be caused by something as a simple as a spam email.
How can you avoid falling victim to a phishing scam?
- Install anti-phishing and antivirus software
- Change your passwords for online accounts regularly
- Don’t click on unfamiliar links, especially in emails from unknown subjects
- Educate your workforce on phishing scams through HR Tech Support measures
Over 11 million customers were put at risk when hackers broke into the network of Premera Blue Cross in May 2014. However, the victims didn’t find out their data had been compromised until March 2015.
Because Premera participated in the Federal Employees Health Benefits Program, the FBI came in to investigate the millions of exposed Social Security numbers, addresses, bank accounts, and medical records.
What Went Wrong? Premera seemed to be doing everything right by participating in a security audit in April 2014, three weeks before the hack occurred. The company was given ten recommendations by auditors. However, it didn’t respond to those recommendations until June 2014…one month after hackers broke into their system. Despite this, Premera defends that the company hadn’t yet known about the hack.
All businesses should have regular audits performed by a certified IT support team. Audits help you gauge how your network is performing and pinpoint where it may be lacking. However, an audit doesn’t end with a nicely bound report. You have to take those recommendations and actually implement them.
The 2015 Anthem hack remains the biggest data breach in healthcare history. Nearly 80 million customers had their personal data put at risk. Members and non-members alike were compromised, with some victims not even knowing what Anthem was or why the company had their data in the first place.
It took about six weeks for the company to realize it had been hacked. Anthem offered security monitoring and credit checks to affected customers. However, the hack opened the door for a much larger question about our data, one GDPR is now striving to address: Should companies be allowed to hold on to data they aren’t actively using?
What Went Wrong? Although Anthem claimed the attack was “sophisticated,” security experts argued otherwise. It turned out that Anthem failed to encrypt some of the data it held. Hackers also reportedly gained access to the credentials of at least five employees through phishing schemes. Lax security, uneducated employees, and persistent hackers made for the perfect recipe for a data breach disaster.
The attack against Anthem highlights how several little mistakes can turn into one of the largest cyber scares of all time. However, just as you don’t need to be a large company to get hacked, you don’t need to be a multi-million dollar business to implement a fix. By taking the time to update your software, audit your technology, encrypt your data, and, most importantly, educate your employees on best practices, you can protect your business, your customers, and your future.