In the case of the health care industry, companies know not only that have they been hacked, but they remain tempting targets in a new frontier of the cyber war that has opened up on its front lines.
"The threat of cyber security is tremendous," said Beth Strapp, vice president and Specialty Insurance Health Care manager for Chubb (CBI). "While many threats are known to the health care industry and patients; others threats are evolving and emerging. Medical records are the obvious threat. Detection is difficult by both health care providers and affected persons, who may not realize for months or longer that their records have been compromised. What's at risk is not just the information in the record but that this information can be changed, which could impact future patient care."
Strapp's company develops cyber security products that allow health care organizations to provide medical record monitoring for its health care customers. This is the kind of tool increasingly used in an industry where the threat of a single theft is just the tip of the iceberg.
In the last nine months, there have been three large data breaches in the industry affecting health care industry giants Community Health Systems (CYH), Anthem (ANTM) and Premera Blue Cross, representing a total of 95.5 million stolen medical records. Put another way, this represents the health records of almost 30% of the entire U.S. population.
"The motivation of individuals who seek to get access to medical records is varied," said Strapp. "Attacks could be targeted at an individual or a health care organization for multiple purposes such as the takeover of medical equipment, the sale of medical and financial identities or financial extortion to restore the provider's use of the patient information."
The biggest problem facing the industry is the ever-changing nature of the cyber security landscape. "What is a threat today, may be less so in the future. Health care organizations have multiple priorities and limited resources," Strapp commented. "Choices about strengthening and improving security of electronic data, systems and devices are complicated by the current number of devices and the continually growing number of devices including mobile technology owned by employees."
She also noted that industry consolidation poses another challenge for the industry across the board. Integrating and merging IT systems and organizations is a highly complex proposition.
According to the Ponemon Institute's 5th Annual Study on Privacy and Security, a leading national research center dedicated to privacy and data protection based in Michigan, "Data breaches could be costing the industry $6 billion. More than 90% of health care organizations represented in this study had a data breach and 40% had more than five data breaches over the past two years. No health care organization, regardless of size, is immune from a data breach."
To combat the threat, the industry has organized under the umbrella of a national network of Information Sharing and Analysis Centers (ISACs) which are being organized across the critical industry infrastructure, to share industry specific information and help each other defend against an ever more present and looming threat.
The National Healthcare ISAC (NH-ISAC), is a non-profit coordination between the industry and law enforcement and was founded five years ago in 2010. While the full list of members is confidential, industry giants on the board include Aetna (AET), Amgen (AMGN), Johnson & Johnson (JNJ), McKesson (MCK) and Pfizer (PFE).
NH-ISAC members share information about trojan viruses to phishing as well as the activity of so-called hacktivist groups. The industry realized long ago that collaborative information sharing rather than competition was the best way to guard against an omnipresent and growing threat.
"Almost every major property and casualty insurance carrier has developed at least one cyber insurance product," said Strapp. "Products are constantly being refined to respond to customer needs and evolving exposures, including new and varied liability relationships under HIPAA and between organizations, vendors and joint venture partners as well as evolving state privacy and security laws. "
Innovation, cooperation and communication, it appears, remain the best defense on the front line of the health care cyber security wars.