Spending on security has inched upward in healthcare in recent years, McMillan added. “So, maybe this (Anthem breach) will be the thing that makes people say we have to do something about this, but I haven't seen that realization.”
Strong internal and external firewalls, access control measures, antivirus solutions and phishing filters are important IT measures to prevent attacks, but policies, procedures and employee education are just as important and often cheaper, experts say. And, at the end of the day, an attack is almost inevitable, so cybersecurity insurance also should be part of any provider or payer defense against hacking.
In the face of an inevitable attack, identification and response is equally if not more important, experts say. Big or small, companies need employees that can recognize when hackers have breached their network, or are casing it to find a way in.
“You can buy a million-dollar firewall, but you need someone to make it effective,” said Chris Pogue, senior vice president of cyber threat analysis for Nuix, a software firm. “It's marriage of skill and resources.”
Once an organization conducts mock-attack scenarios, it will have a clear roadmap for where it should divert resources to eliminate tech vulnerabilities. But it's not just about technology—employees can present the biggest vulnerability, said Armond Caglar, senior threat specialist at TSC Advantage, an enterprise risk consultancy that specializes in human behavior. Cagler stresses to his clients that security involves human behavior too.
Companies have to train employees on how to recognize phishing attacks—in which hackers try to dupe employees into giving them access to corporate networks—as well as educate them on precautions that should be taken when traveling with a work computer that has sensitive data.
“If people want what you have, they're going to try to get it, but you've got to make their job very, very difficult,” Caglar said. “Folks can't invest in these IT-centric solutions when they're leaving other vectors undefended.”
If an employee is terminated, human resources staff should follow up with IT staff to make sure that the individual’s network access is fully terminated. Also, contracts with companies that have access to patient data should spell out how the contractor will protect the information and respond in the event of an attack.
Anthem has yet to say publicly what the attack may have cost the company, but the overall cost could be in the hundreds of millions of dollars based on past attack costs.
McMillan, at CynergisTek, said he'd heard a steep estimate on a major Community Health Services hacking incident in which 4.5 million records were compromised.
“I heard an estimate on CHS of $100 million, so if 4.5 million records are going to cost you $100 million, how much is 80 million going to cost?” he said. “If they decide to provide any credit monitoring for any of the victims, even if it was $10 a person, you do the math.”
Follow Adam Rubenfire on Twitter: @arubenfire
Follow Joseph Conn on Twitter: @MHJConn