The Anthem Breach Should Educate

Healthcare Should Embrace Information Risk Management
Bob Chaput

Like the digital version of Fukushima, the fallout from the Anthem data breach just continues to get worse.

ZDNet recently reported that the insurance giant will likely exhaust its $100 million cyber-insurance funds due to the colossal costs of notifying 80 million people and providing free identity theft repair and credit monitoring. To put that number in perspective, 80 million is roughly the population of Germany.

Meanwhile, it’s getting harder for Anthem to hide behind the fig leaf of an excuse such as “this is probably the work of a sophisticated cyber-espionage team.” It’s true that hackers penetrated several Anthem security layers, but they gained access to the gigantic database using a stolen password. And numerous press reports suggest that Anthem hadn’t even bothered to encrypt the Social Security numbers found in that database.

The biggest lesson of the Anthem breach is that information risk management (IRM) is a much broader discipline than “HIPAA compliance” and the technical/tactical/spot-welding approach taken by many healthcare organizations. It’s high time for healthcare organizations to do what’s long been commonplace in other industries: use maturity models to measure how their IRM programs stack up against key benchmarks, capabilities and best practices.

Many organizations think that their IRM programs are robust and bullet-proof, but a maturity model eliminates the guesswork. Maturity models have been widely used for decades. For example, the Six Sigma methodology is an ongoing effort to test the maturity of an organization’s quality processes. There are maturity models for software development, supply chain management, and much more.

One of the first maturity models in healthcare was HIMSS Analytics’ Electronic Medical Record Adoption Model (EMRAM) that measures an organization’s EMR maturity level against national benchmarks.

This year, healthcare-specific IRM maturity models are beginning to appear – and here are some of the organizational capabilities they measure:

  • Risk management governance and awareness of benefits and values
  • Risk management people, skills, knowledge and culture
  • Risk manage process, discipline and repeatability
  • Risk management use of standards, technology tools and scalability
  • Risk management engagement, delivery and operations

After a rigorous performance review in each category, IRM professionals then produce a report card. As in school, the lowest score is an “incomplete.” The equivalent of a straight-A is “mature.”

It’s important to remember that data security is just a subset of a truly comprehensive IRM program. HHS estimates that only about 6 percent of data breaches are due to hackers. The other 94 percent are the result of preventable mistakes made by an organization’s own employees and business associates: losing a laptop containing unencrypted patient data, improperly disposing paper records, using an insecure wi-fi connection, etc.

Data breaches come in all varieties – from epic hack-attacks to smaller scale breaches involving celebrity snooping or unshredded documents. An IRM maturity model gives you a reliable report card so you can fix the C’s and D’s before they cause major financial and reputational damage. As an industry, we must move from a tactical, spot-welding approach to a business architectural solution that’s strategic and wide-ranging.

Bob Chaput is chief executive officer of Clearwater Compliance, an information risk management advisory firm.