In light of Anthem Inc. recently agreeing to pay the largest HIPAA settlement on record for the Anthem data breach that affected nearly 79 million plan members, providers must get better at controlling who has access to patient data and internal systems.
That advice comes from David Harlow, a Boston healthcare lawyer and consultant. “Anthem didn’t do what it’s supposed to do under HIPAA in terms of securing its infrastructure or having appropriately tight access control or doing the risk analysis it should be doing over time,” Harlow said.
Key takeaways from the Anthem data breach
Harlow said what stood out to him about the Anthem data breach was that a handful of users were able to access multiple systems within the organization and cause a breach of 79 million patient records. Controlling who has access to patient data and internal systems is vital to protecting that data, he said.
“Why do a handful of users have access rights across all of those different systems?” Harlow said. “If there’s value to segmenting data to protect it, then that value, that protection, is undercut by putting all the keys on the same key ring, so to speak. That’s an issue.”
Additionally, it’s not enough for an organization to simply have the right technology implemented to flag potential security threats. He said another important aspect of having the right technology is training individuals to know and understand those flags.
“It’s not just about the tech; it’s about training and being able to not only detect issues but to be able to respond to them appropriately,” he said.
Anthem cited for numerous violations
Anthem is one of the largest health insurers in the United States and in January 2015, the organization discovered cybercriminals had breached its databases and gained access to the IT system, ultimately stealing the data of millions of plan members.
Anthem already agreed last year to pay $115 million to settle class-action lawsuits. Now, the health insurer has agreed to pay the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) $16 million, more than double the previous record HIPAA settlement of $5.5 million.
OCR’s investigation revealed multiple alleged HIPAA violations in the Anthem data breach, including the disclosure of individuals’ protected health information, failure to conduct a system-wide risk analysis, insufficient procedures to regularly review system activity, failure to properly identify and respond to security incidents and failure to implement adequate access controls that would prevent cyberattackers from accessing sensitive patient data, according to a government news release.
Harlow said Anthem was cited by OCR for not having effective security incident detection and response capabilities. Cyberattackers allegedly accessed the system through email phishing, which at least one employee responded to, which allowed further attacks and the massive healthcare data breach over the course of more than a month.
David Harlowhealthcare law consultant
“Anthem allegedly really didn’t do a lot of things they were supposed to do,” Harlow said. Also, “the lack of urgency that was demonstrated in terms of notifying state agencies, notifying individuals — they went way over the time limits that are in state and federal law.”
Anthem was also cited for failing to regularly review records of IT system activity, something that could’ve alerted the organization to a potential healthcare data breach.
“If you’re using somebody’s credentials to creep over into a million different systems, that should be logged and auditable, and there should be some alerts that go off automatically if something is done that shouldn’t be done,” Harlow said.
A statement from Anthem said the company takes the security of its data and the personal information of consumers seriously and the agreement reached with OCR over the Anthem data breach states it is “not an admission, concession, or evidence of liability by Anthem.”
“At the time of the incident, our first priority was to ensure that our systems were secure, which we did by engaging a world-class security organization and the FBI,” according to Anthem’s statement. “Additionally, we provided initial notice within four business days, and credit protections within 11 business days. We are not aware of any fraud or identity theft that has occurred as a result of this incident.”