Susan Ladika

With health care now one of the industries most often targeted by hackers, the National Association of Insurance Commissioners (NAIC) is moving to strengthen the security of health insurance information with the Insurance Data Security Model Law. The model legislation was unveiled earlier this year in hopes that it will establish standards in 2017 for laws and regulations governing data security and for investigations of data breaches.

Alex Heid

In many cases, employees’ awareness of cybersecurity is poor, making them easy targets for phishing and other schemes, says Alex Heid of Security-Scorecard.

Health care ranked ninth in terms of its cybersecurity in a recent report by SecurityScorecard, a company that provides risk monitoring and security ratings. The health care industry is widely infected with malware and has come under repeated ransomware attacks, says the New York City startup, which analyzed more than 700 health care companies. “A lot of data in the [health care] industry can be used for identity theft and insurance fraud,” says Alex Heid, SecurityScorecard’s chief research officer, noting that patient records often include Social Security numbers and birth dates. Compared with an industry such as financial services, “health care seems to be a softer target. There are fewer defenses for the same amount of data,” he adds.

So far this year, more than 850 data breaches across all industries it tracks have been reported, involving nearly 30 million records, according to the Identity Theft Resource Center, a not-for-profit organization in San Diego. More than a third of those breaches—and nearly half of the records—involve the medical and health care industry. Major incidents involved Centene and Washington State’s Medicaid program.

A group of 14 health, life, and property insurers and distributors wrote Adam Hamm, head of the NAIC’s Cybersecurity Task Force, calling for the model law to serve as the “sole data security and breach notification law applicable in a state,” InsuranceNewsNet reported.

More than three quarters of the health care industry has been affected by malware, SecurityScorecard reports. Ransomware has become a reality: Hollywood Presbyterian Medical Center in Los Angeles paid out $17,000 to hackers this year to regain access to its data. In many cases, employees’ awareness of cybersecurity issues was poor, says Heid, making them more likely to fall for phishing and other schemes that get around computer security. Security “really needs to be ingrained into the company’s culture,” he says.