Cyber security is becoming a bigger and bigger concern these days as more and more companies are breached and sensitive data is stolen -- and though it's often retailers like Target that make the headlines, healthcare players are just as vulnerable.
In this video segment, Motley Fool analysts Dylan Lewis and Kristine Harjes go over the less-than-stellar state of cyber security in the healthcare space today.
A full transcript follows the video.
This podcast was recorded on Feb. 10, 2016.
Dylan Lewis: So, if I understand it, the healthcare field has run into some cyber security issues recently. I know, being in the tech and CG space a little bit more, you talk about names like Target or Sony, they've been huge, huge targets for cyber security, and have run into some major issues. There have been plenty of other names in the past. I think one healthcare provider recently made pretty big headlines for a cyber security issue?
Kristine Harjes: Yeah, this was in February of 2015, health insurer Anthem (ELV -0.32%) was hacked. And interestingly, it wasn't quite health-related information that was breached, it was names and email addresses and birthdays, Social Security numbers ... that's not good. But, it hit a lot, a lot of people. So, initially, when the news came out, they said that 40 million current customers were affected. They revised back to then say 80 million, because also, previous customers were going to be affected. So, this is kind of a huge deal.
And in the company's reaction to the event -- it was a very public thing -- you had representatives for the company say, "You know, we weren't doing anything that's not common practice for the industry, as far as encryption goes." So, when you look at the HIPAA standards for insurers and for the whole healthcare field, it turns out that they only recommend using encryption for data. Recommend, not requires.
So, it's recommended to use if it's an important measure to mitigate risk. Which kind of seems like, duh! Of course it's an important measure! But it's actually just more of a guideline than a requirement. The only time you're required to have encryption is when you're moving the data. So, when it's just static and in one place, I guess it doesn't need to be encrypted.
Lewis: Huh.
Harjes: So, who knows if that's ever going to change, but there are some pretty outrageous fees for if you run into trouble with that. So, one would think that these companies do have a pretty big incentive to get their data encrypted. But it's a humongous task.
