Data Security Image

2015: The Year of the HIPAA Breach

The recent breach at Anthem was the first significant breach in what looks to be a long year for the healthcare industry. And it will happen again, as signs point to 2015 being dubbed the year of the healthcare breach. The question is not if a breach will happen or even how to prevent a breach from happening – the question every healthcare organization should ask itself is when the next breach will occur (or whether it already has) and how to prepare for it.

The Anthem attack

How the Anthem attackers got in is still under investigation, but it seems likely that the attackers gained a foothold into the organization via malware and/or a phishing campaign targeting individuals with high-level access. Once one endpoint is compromised, that endpoint can be used to start performing reconnaissance and digging deeper into the network. Recent reports have identified a state-sponsored Chinese cyber espionage group as the culprits, and they may have entered the Anthem network as early as April 2014, nine months before Anthem discovered the intrusion.

Anthem had close to 100 million Personally Identifiable Information (PII) records stolen: name, address, email address, social security number, and date of birth. Essentially, the attackers gained access to everything except for credit card and medical information. Given that PII – to craft a false identity – can sell for around $20 on the black market, the Anthem hack could bring a hefty profit. It has definitely incurred a large price tag: the breach is estimated to cost Anthem upwards of $100 million.

What the Anthem attack means for the healthcare industry

Simply put, healthcare organizations keep and routinely access a lot of information. The challenge for healthcare organizations is to architect networks in a way that is both secure and provides availability of the data. It’s not enough to just house the data – you must be able to access it quickly. A patient’s life may depend on it.

Many healthcare organizations are still operating in flat networks with no network segmentation, which means that user systems and systems that process patient records all reside in the same space. So if a nurse’s workstation is compromised, an attacker is just one step away from getting his hands on patient records. Unfortunately, healthcare organizations are just too tempting a target.

The retail industry has weathered several high-profile breaches, including T.J. Maxx in 2007 (94 million records), Heartland Payment Systems in 2008 (130 million records), Target Brands, Inc. in 2013 (110 million records), and Home Depot in 2014 (109 million records). The Payment Card Industry Data Security Standards (PCI DSS) have prompted the industry to adopt deep and mature security programs to protect credit card information. While the HIPAA and HITECH acts have pushed the healthcare industry forward in terms of maturing their security programs, there is still much work to be done – the Anthem breach may be the push the federal government needs to begin more granularly regulating PII and electronic Protected Health Information (ePHI).

How to prepare

The first step is to develop a risk management program. Carry out a complete inventory of systems that have patient information, conduct a risk analysis to look at threats and vulnerabilities, and perform technical assessments against those systems to ensure there are no available avenues of attack. Second, develop an incident response plan. Do you know what to do if you are breached? Do you have a plan for dealing with a malware outbreak? A denial of service attack? What are your monitoring tools and practices like? Do you know if data is being exfiltrated out of your network? The more you have documented, the more procedurally mature your program is, the easier it’s going to be for you to quickly identify, stop, and recover from a compromise. If you can successfully detect and respond to a breach in a short amount of time, you’re more likely to recover and be able to sustain your reputation and day-to-day business operations.

To learn more about Accudata’s risk assessment services, including HIPAA Gap Assessments, penetration testing, and comprehensive risk assessments, contact Brian DiPaolo, Assessment & Compliance Practice Director, at bdipaolo@accudatasystems.com.

Ismael Alfaro | Consultant 

This Post Has One Comment

  1. Ismael Alfaro

    The Office of Civil Rights just released yesterday the latest covered entity to be hit by a high fine for non-compliance to the HIPAA Security Rule.

    “Cancer Care Group, P.C. agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cancer Care paid $750,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program.” –full article can be found at http://www.hhs.gov/news/press/2015pres/09/20150902a.html

    The article goes on to detail that Cancer Care Group had failed to implement a risk analysis and device and media control program, which, in turn, directly contributed to the breach. Had these programs been in place, Cancer Care Group would have been able to more easily identify and mitigate the threat of unencrypted data stored on mobile devices.

    In a statement made at the Safeguarding Health Information: Building Assurance through HIPAA Security conference held in Washington, DC. , OCR Director Jocelyn Samuels said that “the audits are coming,” referring to the HIPAA OCR audits of covered entities.

    The Accudata Assessment and Compliance team maintains a staff of consultants that can assist covered entities develop and assess a security program that protects patient health information.

Leave a Reply

Your email address will not be published. Required fields are marked *