Starting off this year with a boom, the health care industry took a few powerful security blows the first half of this year.  Topping the charts was the cyberattack on health insurance giant Anthem, Inc. which could affect millions of children and adults for years. A simple online search produces pages of results for lessons learned the few months following.  Here are 3 lessons that top my list of take-a-ways from this breach as well as others.

Lesson 1 – Assess and Address Compliance and Security Health Regularly

Although I doubt many of your enjoy any type of audit, today’s security threat environment requires routine audits and monitoring as a key component of compliance and security health.  Gone are the days of ignorant bliss that a firewall and anti-virus/malware software fit the bill.  Companies with sophisticated technology structures are making headlines, bad headlines due to breaches undetected for months.  Components such as intrusion detection, user behavior analysis, data leak prevention, two factor authentication, encryption, and more are now part of the security suite necessary to fight cyberattacks.  Requirements far above and beyond federal regulatory IT specifications are needed to mitigate cyber liability in the health care sector. 

Do not stop at assessments.  Take the initiative to tackle the weaknesses and flaws from the assessments.  Long term compliance and security health is the goal.  Being proactive can save you thousands in the long run.  A combination of software assessments, technology experts and legal advisors are important assets to assess and address compliance and security health regularly.

 Lesson 2 – Implement Vendor Risk Management

Particularly in the health care sector, vendors are a significant source of risk both in regulatory compliance and cyber liability in general. Not only are you responsible for your own compliance and security health, you may be responsible for that of other entities such as Business Associates.  A similar vendor liability scenario exists in the financial industry.  Take a serious look at your contractual relationships with vendors.  Start by listing your vendors and identifying the risks associated with those vendors.  Develop at due diligence strategy by utilizing the same combination of software assessments, technology experts and legal advisors.  Focus on high risk vendors to start with a clearly defined plan of action to address risks with vendors.

 Lesson 3 – Attack Cyber Liability with Confidence

My favorite dose of cyberattack reality is provided by Norse.  Click the “Live Attacks” button and watch the hits to the United States.  If this were a game, the US would be blown to pieces in minutes.  My three year old son’s current obsession is “BAD” guys (and girls) and superheroes.  For sport or a way to make a living, “BAD” guys (and girls) are out there hacking away.  Be your own superhero in cyber liability and surround yourself with a team of superheroes.  Attack cyber liability with confidence.

Build a solid foundation of security within and outside your entity’s walls.  Be proactive at assessing and addressing your security needs.  Regular monitoring of security attacks as well as computer user behaviors provides an outside and inside view of suspicious activity.  Employee education not to share passwords nor open unfamiliar email attachments is also extremely important. The chart topping Anthem breach traces back to obtaining administrator logins through a phishing scheme.  In addition, be proactive about your reaction.  Have a detailed breach plan and processes in place that goes beyond your IT department or consultants.  Mitigate damages to your clients as well as your reputation.


Subscribe Our Blog

DISCLAIMER: The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. By visiting this website, blog, or post you understand that there is no attorney client relationship between you and the Goosmann Law Firm attorneys and website publisher. No information contained in this post should be construed as legal advice from Goosmann Law Firm, PLC, or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this Post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.