Health insurer Anthem, Inc. has agreed to a $16 million settlement and follow a substantial corrective action plan from The Office of Civil Rights (OCR). The agreement comes after Anthem suffered a series of cyber attacks which led to a breach of PHI of nearly 79 million individuals – instantly becoming the largest U.S. heath data breach on record).
While the fine is staggering (over 3x the previous record), the investigation is the real ‘brow-raising’ moment.
Preventing a Breach
Listed as the last item in the Anthem Resolution Agreement, the breach of 78,800 individual records is no small footnote. According to the OCR notice, media reports of a “sophisticated external cyber attack” on February 5th, 2015 prompted the Federal agency to open a compliance review.
Working to repel cyber-attacks and work to secure data against a breach is a core responsibility of every covered entity and business associate.
Enterprise-Wide Risk Analysis
The OCR report indicated that Anthem failed to conduct an enterprise-wide risk analysis. While the Corrective Action Plan sets out the requirements of such a review now, Anthem would have been well-served to consider proactive measures.
Completing an annual security risk analysis is a required component of the Administrative Safeguards required of either a covered entity or business associate – an often overlooked or misunderstood obligation.
Information System Activity Review
While some policies are better than no policies, the OCR report includes language around minimum content requirements, including the Information System Activity Review.
Audit logs, access and security incident tracking reports are a good start, but the OCR’s language in the Anthem Resolution Agreement include requirements for “…regular review of records of information system activity collected…” and “…processes for evaluating when the collection of new or different records needs to be included in the review.”
Detecting and Responding to Security Incidents
While the OCR does directly state Anthem failed to properly report the attack and subsequent breach, the timeline, and the Reportable Events section of the agreement set firm expectations on how Anthem will communicate subsequent events.
A company’s desire to control the narrative and conduct internal reviews should never obstruct its obligation to properly report security incidents and notify the OCR and impacted individuals.
Unfortunately, many organizations get Information Access Management wrong. The concepts of minimum necessary and restricted access are overridden by a business mentality of “I need access to everything!” – however, what is convenient for users and systems developers may not meet your regulatory burden.
Network segmentation and password management requirements are just the beginning. Organizations must retrain users to consider modern technology and what it means. Giving too many people unfettered access to your system means you are at a greater risk when user credentials are compromised.
The Thing Anthem Missed
The critical takeaway from the Anthem Resolution Agreement is a call for organizations to Be Proactive. No matter the size of an organization, safeguards are only as good as your enforcement efforts.
As experts in cyber security, Umbrella is here to help!
Contact us to learn about our ITMS 3.0 program and the wide array of security monitoring, detection, and threat mitigation services which help protect our clients from possible cyber-attacks.