Written by Kathy Gleason, CHC, HIT+ Compliance Analyst for c1secure
Anthem, Inc. (formerly WellPoint, Inc.) is the latest corporation to notify the public of a breach of personal information. In a statement by Joseph Swedish, President and CEO of Anthem, Inc., it was cited as “a very sophisticated external cyber attack.” He went on to assure clients that the access seemed to be limited to “names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,” likely hoping the lack of medical and health information would keep potential HIPAA fines at bay.
HIPAA, however, includes any individually identifiable health information, so one might argue whether or not accessing medical IDs, social security numbers and demographic information falls under the HIPAA breach component. It matters little to those whose information has been compromised, as the mere threat of any compromise can result in issues that could have impact for many years to come.
We have to at this point, rely on information being reported by the corporation and the media. Claims are that sometime last week, a systems administrator noticed his personal identifier code was being used to run a query that he had not initiated. Anthem quickly traced data to an external virtual storage solution and stopped transmission. It remains unknown whether information had been moved beyond that point prior to Anthem’s efforts to halt the breach.
Until and unless further details are released, we may never know how hackers were able to gain access to the identifier code of a systems administrator or how that code was used to run a query that likely was not within the scope of the sys admins job description. We aren’t even aware if other ID codes were hacked but it is safe to assume this possibility. A thorough look at policies and controls is warranted, as are the methods and frequency of auditing these controls. Password constraints, minimum necessary level of access, data encryption and many other areas need to be reviewed. A third party, has now been hired to help review the incident.
The potential for a breach will always be a possibility. Technology changes so quickly and cybercriminals function at the expert level. The best defense for your data is the highest level of defense. A corporation entrusted by clients to safely and securely maintain personal information should spare no expense to accomplish this goal. The technology exists for continuous monitoring with customized controls, calling exceptions to the attention of staff for review. Additionally technology is available to make hacking of personal ID codes, especially for higher level roles, infinitely more unlikely.
Often, the cost of a higher level of technology and safeguards falls under scrutiny using the Return on Investment argument coupled with the Risk vs. Benefit theory. This is especially true in the healthcare industry, where revenue streams are challenging and costs high. If the proposed expense is high and the perceived risk medium to low, safeguards are often rejected so other priorities can be met. This reminds me of the story of the Three Little Pigs. If you build your house with straw or twigs, you risk a big bad wolf being able to blow it down.
Ultimately defense-in-depth continues to be the clear path for better securing your environment. Implementing technology and managing it with prudent process is vitally important, regardless of the type of business you are in. What is holding it all together?? The PEOPLE. The same principle that’s been stated for years, still holds true today in the age of the hack … People, process technology working together so that if one control breaks down, there is another mitigating control in place to protect your assets.
In striking a balance, if you build your house with straw or twigs, you risk a big bad wolf being able to blow it down. Until then, a more thorough and frequent inspection of the Policies, controls, and safeguards, preferably through a Security and Compliance platform solution, enable visibility through a single source of truth and will significantly increase an organization’s risk mitigation posture.