If, like us, your insurance coverage is provided by the good folks at Anthem Inc., you probably have a few questions. How did the company not notice that cybercriminals were siphoning 80 million customer records from their systems? Why wasn’t my personal information encrypted? And why would Chinese hackers, the prime suspects, be interested in my Social Security number?
With some effort and luck, these questions will be answered soon, as litigants, attorneys general and federal investigators descend on the company. For now, give Anthem credit for coming clean quickly about its lapses — and remember that the attacks will continue unless there are some real reforms.
For one thing, companies need to start encrypting personal information held in their databases — especially important data such as Social Security numbers — as a matter of course and storing it more securely.
Health care companies, in particular, are vulnerable because they’re repositories of so much sensitive information and rely on elaborate networks. The thieves are often cunning: When Target was attacked in 2013, infiltrators stole credentials from a heating and refrigeration vendor the retailer did business with.
The nascent information- sharing group for health care companies, called NH-ISAC, should use this incident as a wake-up call for the entire industry, a known laggard in cybersecurity.
Congress could help by getting serious about setting up a federal information-sharing arrangement headed by the Department of Homeland Security.
It’s also important for Congress to start debating how to bolster laws to prevent the spread and sale of stolen personal data online.
All these things cost money. Yet so do enormous, terrible data breaches — just ask Target, which has tallied up expenses of $248 million after its attack.