Prime Factors Blog

Healthcare Lacks Breach Warning System - Needs Data-at-rest Encryption

Posted by Jeff Cherrington on Feb 8, 2015 9:12:00 PM

Much of the media chatter regarding the Anthem data breach focuses on asking when that company’s management team knew about the breach. That question is important – delays in notifying authorities and individuals impacted means the latter were exposed to risk unknowingly for weeks if not longer. While research shows that “only” 36% data breach victims suffer out-of-pocket expense related to stolen health records, such costs average almost $19,000 when expenses occur. These victims can be compelled to reimburse “…healthcare providers for services provided to identity thieves.” Those impacted certainly want every chance to avoid such costs, and any delays only increase the risk of being one of the unlucky 36%.


A question equally important as “When did Anthem know?” is “How did Anthem discover the breach?” Unlike the electronic payments industry, healthcare does not have systems focused on monitoring for, and identifying, anomalies in transactions. In payments, credit and debit card issuers apply considerable time, personnel, and budget on sophisticated systems that elevate alerts that frequently identify retail chain data breaches even before the chain is aware of them. The banks do this because, based on the bylaws and regulations of the payment networks, they are liable for the bulk of fraudulent transaction expense. It is in their profound self-interest to erect protections against fraud loss.

In contrast the healthcare network does not have the same aggressive checks&balances in place to identify fraud and breaches. While the HITECH Act prodded US healthcare to digitize record keeping and integrate systems for record exchange, implementations have progressed further on the functional level than with the security aspects. Even with the aggressive push to digitize health data and integrate systems, little or nothing has been done to modernize the health care fraud detection. Automated detection and defeat of identity theft, over and above that fraud, is nascent at best.

Remaining focused solely on the health sector, Ponemon Institute, in a report covering 2012, found that only 40% of surveyed health organizations had confidence that they could prevent or quickly identify health record loss or theft. As has been shown in the finance and retail industries, organizations are frequently overconfident in their capabilities and even this 40% in healthcare may be overestimating their preparedness. Another part of that same Ponemon report would tell us that 94% of healthcare organizations surveyed had at least one data breach in the prior two years, with 45% indicating more than five.

Perimeter breaches are inevitable, particularly in large enterprises grown quickly through acquisition & merger. The complexity of heterogeneous infrastructure means it is only a matter of time before attackers have access inside the network. Understanding this, it is bewildering why the PHI inside Anthem was not protected with encryption. Anthem spokesperson Kristin Binns told the WSJ that sensitive data was encrypted when in motion, but not at rest or in use. However, if the data had been appropriately protected by encryption, with encryption keys managed separately from the databases in which it resides, the impact of this breach would be greatly reduced, if not mitigated all together.

Learn more about strategies for data at rest encryption, as well as for data in use, for any relational database system, with the model illustrated for one particular open source RDBMS, by viewing an on-demand replay of Prime Factors’ webinar “Best Practices for Transparent Encryption for MySQL Databases.”

For notifications when new posts are added to this blog, click on the image below:

New Call-to-action

Topics: Enterprise Data Protection