Two breaches within five years roil Anthem

A security breach at Anthem Inc. reported Feb. 4, 2015, is the second in recent years for the health insurance carrier. Anthem, a Blue Cross and Blue Shield Association insurer, paid 1.7 million in penalties to the U.S. Department of Health and Human Services for a data security breach that occurred in 2010.

Ruled a violation of the Health Insurance Portability and Accountability Act (HIPAA), the event compromised 612,000 individuals insured at WellPoint Inc. Anthem Insurance Co. acquired WellPoint Health Networks Inc. in 2004 and named the combined company WellPoint Inc. In 2014, the company changed its name to Anthem Inc.

Anthem is bracing for an additional 1.5 million in fines for the current breach, which could affect up to 80 million customers and employees. Healthcare and security analysts alike are wondering how the healthcare giant could have failed to implement better security measures after the initial breach exposed vulnerabilities in its security infrastructure.

Security an ethical responsibility

“Companies in the healthcare and payments industries have an ethical responsibility to protect customer data,” said Mike Ackerman, Chief Executive Officer of San Diego-based DigiPay Integrated Technology Solutions. “The big story is not this week’s report of a data breach at Anthem, but the fact that it follows a relatively recent incident that led to expensive fines, affected tens of thousands of customers, and damaged the company’s brand.”

HIPAA regulations give Anthem a 60-day window to officially report the breach, and the company has already begun to contact its customers. It is also working with Mandiant, a computer security company, to evaluate its security infrastructure. In addition, Anthem is offering free credit screening to anyone whose name, address, Social Security number and medical data may have been stolen by hackers.

In a statement posted on the company’s website, Anthem President and CEO Joseph Swedish described the incident as a “sophisticated external [cyber attack]” with far-reaching effects. “Anthem’s own associates’ personal information – including my own - was accessed during this security breach,” he stated. “We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”

Healthcare attacks on the rise

Attacks against healthcare companies accounted for 42.5 percent of all reported data breaches in 2014, according to an Identity Theft Resource Center survey.

Security failures at WellPoint in 2010 and the Anthem breach currently being investigated have exposed the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information of millions of consumers whose sensitive medical data was in the clear. Failure to encrypt and tokenize HIPAA-protected data has put millions of insured individuals in harm’s way.

The FBI warned consumers to be extra vigilant. FBI spokesman Joshua Campbell said the FBI “is aware of the Anthem intrusion and is investigating the matter,” and encouraged consumers to report suspicious activities to the FBI's Internet Crime Complaint Center at www.ic3.gov .

10 steps for securing health data

A report published April 30, 2014, by the Institute for Health Technology Transformation stated a majority of healthcare data security breaches are caused by lost or stolen devices that can expose an entire healthcare network to a cyber attack.

Following are the institute’s recommendations for securing health data in an increasingly mobile world

1. Obtain security expertise. Hire a chief information security officer who is dedicated to safeguarding your organization’s data. Asking your chief information officer to add this burden to his or her extensive portfolio invites trouble, because basic security procedures may be overlooked as a result.
2. Strike the right balance between security and accessibility. While data security is very important, security procedures cannot be allowed to get in the way of clinicians accessing the data they need to do their work.
3. Use role-based security. Restrict the access of individuals, based on their organizational role, to prevent breaches from spreading to the most sensitive and important data.
4. Implement data controls. Identify the most critical and sensitive information and put data protection controls around that. Depending on the type of information, various security methods can be used, including encryption and tokenization.
5. Use caution with single sign on. Single sign on poses security threats, but clinicians demand it. To minimize the risk, program workstations to time out and log off automatically. A role-based security approach can be used to restrict access to only those applications a user needs.
6. Address the use of mobile devices. Organizations that allow workers to bring their own devices (referred to as BYOD, which is short for bring your own device) must have policies to prevent mobile devices from endangering network security. They should also prohibit storage of PHI on these devices. Texting requires a security solution, as well.
7. Get business associates agreements (BAAs). All outside partners and service providers, including cloud storage providers, should [formally acknowledge their] responsibility to safeguard protected health information (PHI).
8. Secure patient portals. Verify the identities of portal enrollees and adopt stringent authentication processes, but don’t make it too hard for patients to log on to portals.
9. Reduce health information exchange (HIE) exposure. Be aware of the security practices of public health information exchanges. If you participate in one, you can reduce your security risk by not importing HIE data into your system.
10. Choose your cloud provider and cloud type carefully. A cloud service provider should sign a BAA and be HIPAA compliant.

To obtain the full report, visit ihealthtran.hs-sites.com/iht2-healthcare-security-report.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.