Late on February 4, news broke of a cyberattack on Anthem (a health insurance provider), in which they believe the personal information of over 80 million (yes, million!) current and former customers and employees was accessed. While the investigation is still ongoing, there is no doubt this incident will dwarf the previous high water mark of records compromised, which was 4.5 million last year in the Community Health Systems’ breach.
Some of you might be thinking, “I’m too small of an organization to be targeted if a hacker can target a company like Anthem instead of our community hospital.” However, that is very much not the case. From January 2014 to January 2015, 30% of reported HIPAA breaches classified as Hacking/IT Incident cases occurred in healthcare providers of 200 beds or less.
In this article published by Becker’s Healthcare Review earlier today, they stated, “No hospital or healthcare organization is immune to cyberattacks or hackers.” We echo that in our 10 Security Risk Mitigation Strategies whitepaper and we still recommend putting these 10 strategies into effect at your organizations.
The Anthem breach is a perfect opportunity to highlight a few things we recommend as it relates specifically to accounts and passwords. An Anthem systems administrator noticing a database query running under his profile discovered the attack, and he had not initiated the query himself. More information will likely continue to be released as details are discovered on how the attacker was able to get to the database.
Here are a few accounts and password tips straight from our ICE Technologies Computing Device Acceptable Use Policy:
- Team members must not share their passwords, personal identification numbers, security tokens or similar information, or devices used for identification and authorization. Team members are personally accountable for all network and system access performed under their user ID.
- Passwords are not to be written down and/or stored in, on or near the team member’s workstation. Team members must also ensure that no one observes the entry of their password. Team members must immediately notify the Information Security Officer if they believe their password(s) has been compromised.
- Applications that perform password management functions are not to be utilized unless approved as an organizational standard.
As for passwords, make them complex (containing numbers and special characters), avoiding common or easily guessed words (don’t use your company name, your name, etc.), and avoid using “keyboard strings” (like ZXCVBN as they are on your keyboard). And as the second bullet above indicates, notify your Security Officer immediately if you think your password has been compromised.
So, even if you’re a small healthcare organization, this largest healthcare cyberattack ever is still a warning to stay vigilant when it comes to information security!