An attractive target for hackers - Anthem Insurance
The Office for Civil Rights (OCR) has levied a $16 million penalty on Anthem Insurance in a record HIPAA settlement, after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. OCR Director Roger Severino said,"The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history". Not only does Anthem have to pay the fine, but it also needs to implement a Corrective Action Plan to settle violations of HIPAA law. Indeed, this is HHS Director's juicy and egregious case which he has been pursuing for a while now.
Anthem's investigations revealed that this was a continuous and targeted attack on their technology infrastructure by hackers trying to steal valuable patient health records. The investigation also revealed that this attack was perpetrated through spear phishing attacks. This data breach involved an employee of one of Anthem's business associates.
Complete settlement - https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html
What were some of the factors that contributed to this large settlement amount with Anthem? Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI (electronic Protected Health Information), beginning as early as February 18, 2014.
Here are some questions to ponder:
- Are you conducting a HIPAA Security Risk Assessment or Risk Analysis regularly?
- Are you conducting an Enterprise-wide Security Risk Analysis or just Risk Assessment of your EHR?
- How do you know if unauthorized personnel/hacker has access to your ePHI?
- Do you have a well tested Incident Response Plan?
- Have you conducted a Medical Device Risk Assessment?
- Have you conducted periodic external and internal penetration tests?
- Have you conducted regular phishing tests of your employees?
- Have you provided continued HIPAA training, tips and reminders to your staff?
We have assisted a number of health systems, hospitals, MSOs, ACOs, healthcare software vendors conduct OCR Audit Readiness Assessments, HIPAA Security Risk Analysis and Breach remediation assistance. We also provide HIPAA Compliance training, we can provide training to your staff so that your compliance officer is able to conduct training on a semi-annual basis to ensure that gaps in employee knowledge are addressed in a timely manner. Alternately, we can host your training onsite or online.
Don't let failures and inefficiencies lead you to Anthem's fate. According to the breach report filed with the HHS, their system became compromised through phishing emails sent to a subsidiary. At least one employee there responded to a malicious email leading to further attacks. The 16 million dollar price tag is just the settlement Anthem must pay to the OCR and does not include the cost of the corrective action plan which they must implement to rectify the failures which led to this massive breach.
This is your chance to learn from Anthem's mistakes. Healthcare entities are among the top three targets for cyber attacks. Not only could the fine that Anthem must pay put many covered entities out of business, the responsibilities required to be implemented in a corrective plan are the very responsibilities they failed to keep! So conduct your annual risk assessments, implement and review safety procedures to monitor system activity, prepare, implement and review your security and privacy policies, monitor access to software programs, identify and respond to detected events which could lead to a breach and especially prevent unauthorized access to ePHI! How would you regain trust after a breach like this?
Don't delay! For 1-4 physician practices, we are running a promotion on your 2018 HIPAA compliance package. If you are a larger covered entity or business associate, just contact us and we can decide together on the best plan of action for your business.