Last week, the nation’s second-largest health insurance company, Anthem Inc., became the latest target of a healthcare security breach. It is the largest healthcare breach to date, with fraudsters stealing the Social Security numbers of Anthem’s 80 million customers, including their own CEO.
“Anthem was the target of a very sophisticated external cyber attack,” Anthem president and CEO Joseph Swedish said in a statement posted on a website the company created for information about the incident. “The hackers gained access to Anthem’s computer system and got information including names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and employment information, including income data.”
Companies often choose not to put protocols in place to encrypt customer data because it can slow down productivity, potentially affecting the company’s bottom line. Random pass codes, scrambling data, and limiting access from outside the office are all methods that would certainly diminish the risk of a data leak, but it seems as though the fear of slowing down is greater than the fear of a data breach – a dangerous game to play when you are, in Anthem’s case, gambling with 80 million stolen records.
“Anthem’s initial response in promptly notifying the FBI after observing suspicious network activity is a model for other companies and organizations facing similar circumstances. Speed matters when notifying law enforcement of an intrusion, as cyber criminals can quickly destroy critical evidence needed to identify those responsible.”
Speed matters when it comes to damage control, yes, but why run that race when you can avoid it all together by protecting your data upfront? The “speed matters” philosophy doesn’t give any regard to time or money spent. And indeed, it is very expensive to recover the costs of lost data.
The Ponemon Institute and Symantec 2014 Data Breach Study states that the direct cost of lost data is about $201 per record. To put it into perspective, a small, one-location business processing 6,000 unique transactions per year would result in a risk cost of $1,206,000. It’s staggering to think about how quickly those numbers multiply for those breached companies that have a higher number of customers and transactions. Cost variables including forensic examination, third party notifications, credit/identity monitors, and others, can add up and shut the doors to businesses quickly.
Luckily, no credit card information was obtained in Anthem’s security breach, but it’s highly unlikely that their customers feel they are safe from identity theft. A 2014 study conducted by the Harris Institute and sponsored by Cintas Corp. found that 2/3rds of U.S. adults would not return to a business if their personal information was stolen. In addition, when asked which types of organizations patrons would stop doing business with if their personal information was compromised, 35% said they would not return to their hospital.
It doesn’t make sense for companies to risk not encrypting data so that they can run in high gear, and then once breached, run in a higher gear trying to fix what could have prevented. The healthcare industry is aware this is not an effective strategy, and the topic of securing patient data continues to top their priority list. Bluefin Payment Systems understands the importance of increasing cyber security at every point in the network -and firmly believes that encryption is the key to prevention.
Bluefin Payment Systems specializes in point-to-point encryption (P2PE) for the healthcare industry. Validated by the PCI Security Standards Council, Bluefin’s P2PE suite of solutions ensure that credit card information is encrypted at the Point of Interaction (POI), so that is cannot be read/decrypted at any point within the merchant’s network. Bluefin is working on using its technology to encrypt data sources outside of payments, including those found in medical records. Because hackers are always looking for the next target, and do we really want to gamble our healthcare data? We don’t think so.