Unlike some companies, Sony has security -- as evidenced by these gates.

Photographer: Frederic J. Brown/AFP/Getty Images

The Sony Hack and Your Health-Care Data

Katie Benner is a Bloomberg View columnist who writes about technology, innovation, and the cult and culture of Silicon Valley. She lives in San Francisco.
Read More.
a | A

The Sony Pictures Entertainment hack was embarrassing and potentially harmful to employees whose Social Security and credit-card numbers were stolen. Yet the level of harm caused by a different kind of cyberpilfering could be much more damaging: the theft of sensitive online personal information, such as medical histories, specific health-care treatments and personal-leave details.

A stolen credit card can be canceled, as Jim Routh, Aetna's chief information security officer, pointed out. Erasing traces of your medical history once it's online, though, is much harder. What's troubling is that despite the volume of sensitive data health-care companies hold, they lack the robust security you might expect.

A multitude of companies make up the health-care ecosystem -- providers, payers, pharmaceutical and medical-device makers and diagnostic laboratories -- and they have varying levels of security expertise. For every big pharma company or insurer with a huge security budget, there are many more small regional hospitals and health-care providers that don't have the money or the understanding of how to quickly identify and fix vulnerabilities or counter an attack. Because these businesses are so interconnected, weaknesses end up being shared by all.

Routh sits on the board of a health-care-focused security organization called the National Health Information Sharing and Analysis Center, or NH-ISAC. Most of the industries that are considered part of the country's critical infrastructure have an ISAC, such as aviation (A-ISAC), defense (DIB-ISAC) and financial services (FS-ISAC). These groups were created during the past decade or so as a way to let companies in a given sector share information about data breaches. Financial services, which have taken security seriously for longer than most of corporate America, started its ISAC in 1999. The health-care ISAC came much later, opening in 2010. (If Sony keeps getting breached, maybe we'll see a media and entertainment ISAC before too long.)

Security professionals say that information sharing hasn't been common corporate practice, in part because companies have worried about reputational damage. (In deference to this worry, the ISACs let members share information anonymously.) A recent PricewaterhouseCoopers survey found that only 25 percent of businesses share information, even though the consulting firm also found that collaboration is one of the most effective defenses against cybercrime. So security employees often resort to swapping information about breaches behind closed doors, a practice that a former Morgan Stanley security employee tells me is an inefficient way to deter online criminals. After a company detects and repels an attack, it usually takes days or even weeks before the security team can get around to telling other people how it happened and how it was fixed.

The frequency and severity of corporate hacks have made companies more willing to open up. This has paved the way for startups, such as ThreatStream, Confer and Vorstack, that help companies share threat information.

The NH-ISAC decided that it wanted to use some of the newer, faster and more sophisticated technology that was coming out of the startup world. It worked with Vorstack to make an automated platform that lets companies share information about threats, breaches and response strategies in real time. Data is shared among systems, even machine to machine, which should cut down on the amount of time security people have to spend investigating alerts about possible breaches.

Smaller businesses that might not have large security teams will be able to use intelligence from bigger companies to improve their resiliency without having to put a lot of money into their own cybersecurity programs. The pilot program for the platform began a few months ago with five companies, which included insurers and drugmakers. The health-care sharing platform is purported to be among the most advanced in the ISAC network. (Only the financial services network has anything of comparable power.) This week it was opened up to all NH-ISAC members. Routh says it will take six to 12 months before the platform is widely adopted.

Hacks of companies such as Target, Home Depot and now Sony have shown us that all companies will have to be much more vigilant about cybersecurity. People will be watching closely to see if corporate America will embrace measures that the government has recommended, such as information-sharing practices. If doing so helps companies with important information to protect themselves, it should encourage vulnerable companies to band together against the next huge cyberattack, which is sure to come. 

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the editor on this story:
James Greiff at jgreiff@bloomberg.net