Anthem on hook for HIPAA violations
By Byron Acohido, ThirdCertainty
The aftermath of the Anthem breach won’t be pretty.
By letting hackers exfiltrate Social Security numbers and other personal data for possibly as many as 80 million individuals, the nation’s second largest healthcare insurer has set itself up to become the poster child for sanctions likely to be imposed under the 1996 Health Insurance Portability and Accountability Act, (HIPAA) not to mention shareholder and class action lawsuits.
Meanwhile, each individual victim must now take very seriously the notion that key pieces of data about himself or herself will circulate in the cyber underground indefinitely. This is data useful for the most egregious and troublesome forms of identity theft.
“Consumers face identity theft on a fairly massive scale,” says Ian Trump, security analyst at LogicNow. “They’ll need credit monitoring and access to legal help for when the blackmail attempts start to come in. Cyber criminals are not above threatening folks with the disclosure of their confidential and sensitive medical conditions to family members, co-workers and the general public.”
Anthem must be scrambling to do triage. The insurer’s crisis communication plan was put into motion late Wednesday with a fairly forthcoming open letter posted online by CEO Joseph R. Swedish accompanied by an FAQ.
Early reports from major media outlets that were granted access to an Anthem spokesman posited the notion that because no actual medical information appears to have been stolen, the breach would not come under HIPAA rules.
However, Eduard Goodman, chief privacy officer at IDT911, which sponsors ThirdCertainty, says Anthem is definitely on the hook to be investigated for HIPAA violations requiring privacy of medical records, not just by the feds but also by state Attorneys General.
“This is absolutely a HIPAA breach,” Goodman says. “Anything that involves a healthcare clearinghouse or insurer collecting and releasing patient information is covered by HIPAA, even if it’s a bill with a letterhead that doesn’t say what the treatment was and has no credit card information.”
Goodman points out that a 2009 amendment to HIPAA empowered state AGs to enforce federal HIPAA rules for healthcare entities operating in their respective jurisdictions.
A classic violation is failure to issue timely notice to authorities. Seven figure fines can be levied, Goodman says. But more so than that, federal and state regulators can gain political capital. Some may view punishing Anthem as a way to win votes.
At the moment, Anthem’s attention has to be focused on stopping leaks and preventing a recurrence. It has retained Mandiant, a top network forensics firm that’s a subsidiary of renowned malware detection company FireEye.
One thing Anthem – and the wider healthcare sector – should closely review is more pervasive encryption of healthcare records, says Richard Blech, CEO of Secure Channels, an Irvine, Calif.-based start-up that is developing next-generation encryption technology:
“Had Anthem’s consumer data been fully protected with strong encryption, then while the breach would have occurred, the stolen data would be completely devalued and useless to the hackers,” Blech says. “Security has to grow faster than the rate of a hackers’ expertise for everyone’s safety.”
More immediately, Anthem must figure out an efficient way to notify victims. “They will most likely provide some sort of identity theft protection free of charge,” says Sean Mason, vice president of incident response at Resolution1 Security. “However, that is not a silver bullet and may be offered too slowly to be effective, providing the opportunity for fraudulent activity to still occur.”
Meanwhile, anyone in the healthcare sector who didn’t already consider IT security as a top priority in the current environment should take the Anthem case as the loudest warning yet.“Most large companies in the insurance payment sector have a strong team of in-house cyber security experts,” observes Ivan Shefrin, vice president of Security Solutions at incidence response company TaaSera. “Given the web of network connections among our healthcare system, it’s easy to understand how such security breaches can escalate quickly and spread among partnered companies and vendors.”
The big takeaway is elemental, says Chris Petersen co-founder of security analytics firm LogRhythm.
“The bad guys are coming after the healthcare sector,” Petersen says. “It holds valuable data for which there is black market demand. This isn’t something that only affects large healthcare organizations. Whether small or large, they should expect cybercriminals to already be in their environment or on their way in. Those that don’t start improving their ability to quickly detect compromises, monitor for threats, and respond quickly, will have patient data breached – period.”
Find the original article here.