News Feature | March 31, 2015

Discussing The Premera Data Breach With Your Health IT Clients

By Megan Williams, contributing writer

Discussing The Premera Data Breach With Your Health IT Clients

Your clients pay attention to news of data breaches, but getting them to take appropriate action can be a difficult conversation.

The Premera Breach

As was expected this year, healthcare data breaches have rolled in steadily, with Premera Blue Cross being the most recent in a series of cyberattacks focused on medical organizations.

Premera announced on March 17 that it had been the victim of an attack that possibly exposed the medical and financial information of 11 million customers. The vulnerable information included bank account numbers, Social Security numbers, clinical information, dates of birth, and other data, in an attack that began back in May 2014.

According to the New York Times, the majority of the affected customers were residents of Washington State, with the remaining scattered across the rest of the United States.

Advice On Moving Forward addressed questions around responding to an environment where breaches are common in an article by Paddy Padmanabhan of Damo Consulting, Inc.

The article highlights the ironic state of spending in health IT, explaining that while the health sector is particularly vulnerable, spending on IT is respectively low for the industry, with thinly-stretched healthcare CIOs following the common actions of outsourcing IT functions offshore, laying off staff, and postponing IT asset refreshes.

Padmanabhan stresses the dangers of that last practice, and emphasizes the fact that the problem is further compounded by the dual issues of a drastic explosion of data in the industry, and the inherent threat to patient safety that comes with breach vulnerability.

To address these issues, he urges three courses of action:

  1. Explore The Cloud. The cloud can be an affordable answer to healthcare CEOs’ and CIOs’ budgetary constraints. New applications such as analytics can be deployed via the cloud, so that organizations can take advantage of offerings by service providers that have the robust infrastructures needed to protect against cyber attacks. (Access information on advanced cloud topics)
  2. Respect The CISO (chief information security officer). CISO’s are generally considered part of the CIO organization, but their jobs encompass more than that. Information security reaches into the worlds of administrative functions and physical safeguards, and the role of the CISO should reflect that.
  3. Consider Data Monetization Options. With the advent of healthcare analytics comes a willingness to pay for valuable data. Payments received for the sale of data (handled with proper checks and controls of course) can offset necessary additional investment in IT security.

For further insight into keeping healthcare data safe, read “Five Prescriptions To Stop Healthcare Disasters.”