Protecting Medical Identity Is a Must-Win Battle in the War for Cybersecurity | Commentary
The cyberattack carried out recently against Anthem, one of the nation’s leading health insurers, is yet another stark reminder of the persistent threats American businesses and consumers face in the digital age.
While attacks on retailers such as Target, the Home Depot and Neiman Marcus already provide grounds for concern, the Anthem attack is disturbing because it presents the most high-profile example of a “new norm” in cybercrime — the theft of medical identity records. These attacks are especially disturbing because medical records contain highly sensitive information about individual Americans.
Health companies are so besieged by cyberattacks that, according to a study by the data protection research firm the Ponemon Institute, 90 percent of health care organizations have had at least one data breach over the past two years. The names, birth-dates and Social Security numbers that health care businesses house on their networks are attractive to cybercriminals because they help them open up fake lines of credit or to plan other crimes. And larger criminal organizations are willing to dole out huge sums of cash for sensitive medical data. According to a New York Times article by Reed Abelson and Julie Creswell, recent black market auctions have seen complete patient medical records valued at higher prices than credit card numbers. One such auction saw patient medical records sell for as high as $251, while credit card records sold for 33 cents. The reason for this tremendous price disparity is simple; many cybercriminals believe the $3 trillion U.S. health care industry offers the best opportunity to grab huge batches of valuable personal data with the least cyber-resistance (as many health care companies still rely on aging computer systems with outdated security features).
As with any marketplace (criminal or otherwise), new entrants will be drawn to attack health insurers and companies hosting sensitive medical data by the allure of profit. As industries catch on to cybercriminals’ modus operandi, these bad actors will look to innovate their way around newly integrated cyber-defenses and find ways to increase the sophistication and impact of their attacks.
While 80 million people may have been affected by this breach alone, the attack at Anthem is a microcosm of the much larger problem facing the health care service sector. Cybercriminals are as committed as ever to placing the livelihood of American families, workers and businesses in jeopardy for personal gain or for pure pleasure. So what can we do to stop these criminals in their tracks before they cause irreparable harm to our jobs, personal information, and safety? Here are a few suggestions.
First, government (state as well as federal) and industry must better coordinate the sharing of actionable threat information to thwart cyberattacks. The cybersecurity proposal that President Barack Obama released last month will spur public/private cyber-information-sharing and encourage responsible cyber-threat reporting to the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. This will allow for real time coordination between relevant federal agencies, state partners and private sector-developed and operated information sharing and analysis organizations by providing targeted liability protection for companies that share information with these entities.
Second, we need to do more to advance research and development in cybersecurity. This can be achieved by: extending the R&D tax credit, making strategic long-term government investments in cybersecurity and funding initiatives that help grow a skilled and professional cybersecurity workforce.
Finally, Congress should promote initiatives, legislation and funding streams that help domestic and international law enforcement entities deal with cyber-crime enforcement. Whether it’s fraud, piracy, extortion, online theft, commercial espionage, “hacktivism” or cyberattacks coordinated by terrorists abroad; the wall of defense and response is made stronger through effective law enforcement and international cooperation.
It’s still too early to know exactly how damaging Anthem’s data breach was, although reports that no personal health information was stolen by hackers are encouraging. Still, consumers may not be so lucky the next time a health company is attacked.
On Tuesday, the White House announced the creation of the Cyber Threat Intelligence Integration Center, a new agency designed to combat cyber-threats and coordinate digital intelligence among federal agencies. On Friday, the White House will host a summit on cybersecurity and consumer protection at Stanford University with the goal of advancing public and private sector efforts to protect American consumers and companies from growing threats to their networks and livelihood. The president and industry thought leaders can’t be alone in their efforts. Republicans and Democrats must work together to pass long-overdue comprehensive cybersecurity legislation. It’s time we all worked harder and smarter to stop cyber-criminals. The time to act is now.
Rep. Robin Kelly, D-Ill., is the ranking member of the House Oversight and Government Reform Subcommittee on Information Technology and is chairwoman of the Congressional Black Caucus Health Braintrust. Want More Stories Like This? Subscribe to our Thought Leaders Newsletter.