FBI warned health care providers 10 months before Anthem cyber attack
Industry unprepared for even basic cyber threats
Thomas Hargrove, Scripps News
1:26 PM, Feb 10, 2015
3:41 PM, Feb 10, 2015
WASHINGTON, D.C. - An FBI alert 10 months ago warning private health insurance and health care providers that they were particularly vulnerable to cyber thieves proved prophetic last week when Indianapolis-based Anthem Inc. announced that a cyber attack had compromised the records of 80 million clients.
The attack was described as the largest privacy breach ever reported by a health industry group. The FBI’s message last year noted that health industry cyber security lagged behind that of the financial and retail industries.
“The health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures, much less against more advanced persistent threats,” the bureau warned.
“The biggest vulnerability was the perception of IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working.”
Even last year, it was obvious that the health industry was under significant threat from cyber thieves. A 2013 study by Ponemon Institute found that 63 percent of health care organizations surveyed reported at least one data breach in the past two years, and 45 percent admitted that their organizations had not implemented security measures to protect patient information.
The FBI warned that cyber thieves would find health records an inviting target with a new federal law mandating that doctors, hospitals and insurance companies transition from paper to electronic health records. The law went into effect last month. The bureau also said that since there is “a higher financial payout for medical records on the black market” the “cyber actors will likely increase cyber intrusions against health care systems.”
Anthem’s records included clients’ full names, mailing addresses, e-mail addresses, birth dates and Social Security numbers – information that hackers can use to commit a host of identity theft crimes.
But experts warn that just about anyone with medical records should be mindful of the risk of identity theft. Nationwide, about 48 percent of Americans are covered by private health insurance provided by their employees. Another 6 percent pay for their own private insurance.
A third of Americans get their health care coverage through Medicare, Medicaid or other government programs. So far, these records appear to be at reduced risk since few major breaches have been announced.
Cyber security experts warn that Americans should be much more aggressive in changing online passwords, doing so periodically, and should monitor their credit reports. Monitoring services are available through the three national credit bureaus and, sometimes, are available from banks or other financial institutions. Anthem said it is offering such services to its customers.