Centene data breach underscores escalating problem

Another health insurer is facing a major healthcare data breach. Centene Corp. says it is missing six computer hard disk drives that contain the health records of about 950,000 individuals.

“While we don't believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives,” Michael Neidorff, Centene chairman, president and CEO, said in a news release. He added that the lost drives include individuals' names, dates of birth, Social Security numbers, and member ID numbers.

Read: Ten Health Organizations Slammed by Cyber Breaches

The announcement comes on the heels of a report from the Identity Theft Resource Center (ITRC) that found that more than 120 million patient records were compromised in 2015 due to healthcare incidents alone.

The healthcare industry is a prime target for cyber criminals because of the data healthcare entities collect, create, manage and store, says Emily Mossburg, a principal with Deloitte & Touche LLP’s cyber risk services practice.

GuccioneIn fact, Darren Guccione, CEO of Keeper Security, Inc., says that medical records can rake in as much as $300 on the black market, which is nearly 10 times more than what credit card numbers typically fetch.

Sean Curran, director in West Monroe Partners’ Security & Infrastructure Consulting Practice, predicts that the number of healthcare data breaches will increase this year. “Simple data loss events, such as the loss of hard drives or removable media, will continue to happen until organizations take the approach to encrypt all systems, not just laptops,” he says, adding that data breaches because of cyberattacks will also continue to be a problem.

Mossburg agrees that data breaches, due to criminal activity or lost or misplaced data, show no sign of slowing. “Cyberattacks are currently on the rise and they aren’t going away,” she says. “PHI, personal health information, is a rich target and given the breadth of ways this data can be illegally and maliciously used and exploited, there are a broad set of attackers targeting PHI. The leadership of healthcare companies, any company, need to recognize cyber risk as a core strategic risk to their businesses and plan and execute based on that risk to their organization.”

Next: The industry faces unique data protection challenges

Curran says the Centene announcement highlights that many organizations continue to fail to take basic precautions to protect their information assets. “Lost computers, hard drives and removable storage media still dominate the methods by which healthcare data is lost, which is surprising given that every major desktop/laptop operating system contains basic methods to encrypt hard disk drives and removable media,” he says.

CurranOn the positive side, Curran says the Centene breach was due to a loss of hard disk drive data, not a full, wide-spread system breach, as occurred in 2015 with Anthem (78.8 million people affected) and other large health plans.

In addition, Centene identified the breach, which suggests its compliance program is functioning in some capacity, he says, noting that many organizations that have been breached do not discover the breach for some time. In fact, he says industry research suggests that a breach takes, on average, nine months to detect.

“The more concerning system-wide data breaches will continue to be reported as organizations catch up on the detection methods and the tools they have employed become capable of identifying those attacks,” Curran says.

Guccione says the industry had a “wakeup call” last year because of the Anthem breach and the Premera breach, which affected 11 million people. That wakeup call may propel more healthcare organizations to take necessary steps to protect their data.

“As healthcare professionals learn to adopt cybersecurity ‘best practices,’ a far greater number of breaches will be prevented,” says Guccione. “Hospitals and healthcare insurance providers will implement more cybersecurity software in 2016 that will provide password management.”

He adds that more than 70% of breaches can be attributed to weak passwords or poor password management policies, encryption and threat detection.

Next:Critical data protection strategies

Healthcare executives must keep in mind that protecting a healthcare organization’s data is not a support function and it is not a job for information technology or cybersecurity alone, says Mossburg. Instead, it is a responsibility of the business.

Mossburg“The business, as part of the overall process of conducting business, should understand their data inventory, the sensitivity of that data and be committed to providing the governance, process and solutions necessary to protect that data,” she says.

Additionally, much of the focus in healthcare cybersecurity has traditionally focused on securing the environment, says Mossburg. Though this is an important component of any cyber risk program, as cyber threats have evolved, it has become just as important that organizations are vigilant or actively engaged in monitoring their business and technical environments for abnormal and suspicious activities.

Curran adds that executives should keep in mind that small investments, such as encryption of hard disk drives and removable media, can make a big difference in reducing the likelihood of a reportable breach.

Finally, executives must be prepared to respond to a data breach and lead their organizations through it. “This means that organizations should have well-defined incident response plans and that they must practice these plans,” says Mossburg. “Conduct cyber exercises and cyber wargames, this will help you practice, test and enhance your preparedness to execute your plan and lead your organizations through incident response and recovery.”

Merger Impact

Sean Curran, director in West Monroe Partners’ Security & Infrastructure Consulting Practice, says that he does not believe the Centene data breach will affect its pending merger with Health Net. “Were they an acquisition target, it could impact their valuation, but in reverse it is not the case unless they plan to use noncapital funds [shares/equity] for the transaction,” says Curran. “Even still, given the method of data loss, it is unlikely to significantly impact their value.”