Reading Time: 2 minutes

By Ed Simcox, Healthcare Practice Leader at Logicalis

I have talked with multiple healthcare CIOs in the past few days. Information security is, once again, front-and-center for CIOs and continues to represent one of the biggest challenges they face. It seems like we learn of new healthcare data breaches every week.

The recent Anthem data theft was reported widely in early February, including by Katie Dvorak of FierceHealthIT. The attack should be a new warning for the entire healthcare industry, which lags in cyber security compared to other industries.

As Ms. Dvorak’s article notes, this is shaping up as the largest breach in healthcare data in history. The signs indicate the attack was hatched by a hacker group based in China. A single, stolen employee password and lack of encryption appear to have been the aides used to pull off the heist.

It appears the hackers obtained the personal information of about 80 million consumers, including Social Security numbers, which were not encrypted, according to a Wall Street Journal article. Encrypting the information might have made it impossible, or at least more difficult, for hackers to access and sell the sensitive portions of the data.

Given heightened attacks such as this one, it’s an important reminder that CIOs must maintain the necessary security posture. They need to do so even in the face of declining IT budgets and important, competing priorities by evaluating security against these other priorities. CIOs need to be comfortable communicating the business value of security initiatives to boards of directors and senior leadership. Only then can they acquire the proper funding levels and organizational support necessary to properly care for security.

Properly caring for information security may begin with ordering an independent HIPAA audit to determine a baseline for future improvements and budgetary requests. While CIOs may be reluctant to see and share audit findings internally for fear of exposure, these findings become the needed justification for investing precious dollars in continual improvement of their organizations’ control environments and overall security posture. When does a healthcare organization want to learn which areas need improvement: before or after a reportable data breach?

In the coming weeks, our healthcare team will continue to blog about the other major challenges facing healthcare CIOs in the coming year as well as other issues and trends. We look forward to helping you and your organization successfully take on these challenges throughout the course of 2015!

If you have any questions about this blog, or would like to discuss its content, please contact me at

In the meantime, check us out at