Risk Management Lessons from Anthem HackWhat Healthcare Organizations Can Learn from Breach
The recent cyber-attack against health insurer Anthem Inc. which exposed a database that reportedly contained information on as many as 80 million individuals, is a "call to action" for the healthcare sector to adopt a much more sophisticated approach to risk management, says security expert Lisa Gallagher.
Healthcare organizations need to have "a very near-term focus on understanding this cyberthreat that we're facing, and the kinds of things needed to address it" says Gallagher, vice president of technology solutions at the Healthcare Information and Management Systems Society.
That heightened focus requires taking critical measures, including sharing cyberthreat information with healthcare sector peers as well as government agencies, Gallagher says in an interview with Information Security Media Group.
"This is something that we have to focus on every day, so that you don't just do a risk analysis and be done," she says. "[Rather] you're monitoring for risks and threats every day. That's part of what we have to do to protect the data assets that we have. It's really time to come together to have an approach to deal with cyberthreats across the industry."
Gallagher stresses that healthcare organizations "need to get to the next level of sophistication in the types of analysis we do, such as ongoing security risk assessments; deploying network monitoring and detection tools; and conducting fuller forensics analysis, including post-risk analysis on any kind of breach." It's also critical "to understand the threat actors, their motivation, and what they're after, why, and how to protect against that," she says.
The bottom line: "This is a call to action for a whole new paradigm to face the cybersecurity risk that we're facing," Gallagher says.
In the interview, she also discusses:
- Why the healthcare sector is becoming a bigger target for hackers;
- The use of encryption and other safeguards to protect health data stored in databases - Anthem has reportedly said data in its hacked database was not encrypted;
- Advice for consumers affected by the Anthem breach.
Before becoming HIMSS' vice president of technology solutions, Gallagher was the association's senior director for privacy and security. In her current role, she is responsible for HIMSS' efforts in business and financial systems; privacy and security; cloud computing; identity management; and other technology areas. She's also a member of the Health IT Standards Committee, which advises the Office of the National Coordinator for Health IT.