Why Anthem's Huge Hack Matters for Medtech

The recent hacking of millions of customer accounts at health insurer Anthem Inc. should be too close for comfort for medical device companies.

Nancy Crotti

As many as 80 million Anthem Blue Cross customers were affected in a recent hacking episode. That news should be too close for comfort for medical device companies--providing a needed wake-up call amid the recent cybercrime spree against major companies including Target, Home Depot, and Sony Pictures. Prominent medical device companies like Boston Scientific, Medtronic, and St. Jude have also been hacked in recent years.

More recently, in December 2014, a group of Wall Street-savvy hackers attacked nearly 100 biotechnology, medtech, and pharmaceutical firms in an apparent attempt to play the stock market. Silicon Valley cybersecurity firm FireEye said it found that the hackers had been targeting information related to product development, M&A strategies, legal issues, and purchasing processes of the companies since at least mid-2013.

Smaller medtech companies may be even more vulnerable that the giants, simply because they can't afford the same types of protective technology. Even Medtronic told the SEC last June that it had been hacked, apparently from Asia.

The Anthem hackers may have been after personal information. They gained access to names, Social Security numbers, birthdates, email and mailing addresses, employment information, and incomes of 80 million people currently or previously covered by the Blue Cross Blue Shield insurer, according to a report by The Associated Press.

Although Anthem said that it had no evidence that the hackers sought medical information, "tens of millions" of its 37 million customers may have been affected, the AP report said.

The FBI warned healthcare companies last year that they were more vulnerable to cyberattacks than those in the financial or retail industries. Indeed, the healthcare industry is generally about 10 years behind the financial services sector and twice as vulnerable in terms of protecting consumer information, Avivah Litan, a cybersecurity analyst Avivah Litan at the research firm Gartner, told the AP in a separate report.

Because they hold so much information, healthcare records may also be 10 times more valuable on the black market than credit card numbers, according to Carl Wright, GM of cyber security firm TrapX Security. Medical-info thieves might assume a patient's identity to file for insurance benefits, illegally obtain prescription medication, or, as the Department of Homeland Security fears, cause physical harm by interfering with the patient's medical devices (although the latter is likely a considerably minimal risk for most people).

Former Vice President Dick Cheney acknowledged in late 2013 that he considered such a threat credible enough that he had the wireless capabilities on his implanted defibrillator turned off for security purposes. The late hacker Barnaby Jack experimented with insulin pumps and claimed that he had discovered a way to hijack the device from up to 300 feet away, triggering potentially lethal insulin doses.

No one knows the privacy and safety implications of increasingly available remote monitoring of patients by healthcare professionals.

Major hospitals are eager to try this technology out, for a couple of reasons. Monitoring patients' vital signs between office visits gives healthcare practitioners a chance to intervene before patients become sicker. Reducing hospital readmissions will also help the bottom line and keep the federal government from exacting new penalties on healthcare organizations.

It's less expensive to rely on apps than to pay those fees. To reduce the cost of managing patients with chronic conditions, 70% of healthcare organizations worldwide will invest in apps, wearables, remote health monitoring, and virtual care by 2018, according to a November 2014 report by IDC Health Insights. The health research organization predicted that demand for data and analytics capabilities to support these health management initiatives would soar.

Wright told MedCity News that medtech businesses should add "proactive, deception-based technology" that uses phony computers and data to hoodwinkhackers into believing they are actually inside a corporation with access to lucrative private information.

Businesses hacked to the degree that Anthem was are "irresponsible," Trent Telford, CEO of data security company Covata, told MedCity News.

"We have to assume the thieves are either in the house or are going to break in--they will always build a taller ladder to climb over your perimeter security--we must protect the data itself," Telford said. "This has crossed the line."

Like what you're reading? Subscribe to our daily e-newsletter.