The Health Care industry has entered the information security spotlight. In February, Anthem, the second largest health care insurer in the country, notified customers of a breach of their computer systems that potentially affects more people than the Target breach in 2014 or the Home Depot breach of 2014. This follows on the heels of the August 2014 breach of 4.5 million medical records held by Community Health Systems.
For almost twenty years, information security in the health care industry in the US has been mandated by the federal regulations of HIPAA and the subsequent HITECH modifications. These regulations have not only set security standards, but have also required organizations to do public notifications on breaches affecting 500 or more people. Generally, this has created a culture of compliance and notification procedures within health care organizations.
It’s time for health care to focus less on compliance and more on the discovery, containment, and eradication of malicious activity in their networks. With each breach, the value of the data stored on these networks and the ease of stealing that data is becoming more apparent. Health care must join the financial and retail industries in their maturity and capabilities for cyber-defense. Fortunately, the trail has been blazed by those industries. Health care can catch up by a measured view of the tools, processes, and services that exist, and having the support of the organization to acquire and implement those solutions.