Last month, Anthem, Inc., reached a record $16 million settlement with the US Health and Human Services’ Office for Civil Rights (OCR) for a HIPAA breach. The case involved a 2015 hack into Anthem’s system in which cyber criminals stole the electronic health information (including Social Security numbers, addresses, and birth dates) of nearly 79 million people.
The large fine was handed down not only because so many records were breached, but also because of the lack of HIPAA safeguards put in place by Anthem. When it was conducting its investigation into the breach, OCR found the organization was missing a mainstay of HIPAA compliance: a risk analysis.
An independent licensee of the Blue Cross and Blue Shield Association, Anthem is one of the country’s largest health benefits companies, according to an OCR press release.
Though the organization had invested in IT security, a simple risk analysis might have revealed security gaps that could potentially have prevented the breach. Hackers accessed the system when 1 or more employees opened a phishing email. The intruders were in the system for more than a year undetected because Anthem did not review IT activity that could have detected the breach sooner.
The organization found out the breach had occurred merely by accident when someone with administrative privileges tried to log into the system and their credentials were already being used, according to Andrew Hicks, Vice President of Healthcare Assurance at Coalfire Systems, Inc., which has its headquarters in Westminster, Colorado. “It was pure luck that they found out,” he said. “It could have been a lot worse.”
Many experts agree that the attack on Anthem’s system was caused by a simple lack of IT housekeeping, which could happen to any health care organization. Though OCR knows this, it is increasingly holding organizations accountable for breaches, even those caused by human error.
The Anthem settlement was nearly triple the highest dollar amount paid to date to OCR by a health care organization. It could have been higher, though. OCR appeared to take into account the other funds already paid out by Anthem with respect to the breach.
“The largest health data breach in US history fully merits the largest HIPAA settlement in history,” OCR Director Roger Severino said in the press release. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.”
Though $16 million may sound like a devastating fine for many organizations, it is not much for a group as large as Anthem. It was, however, the last of hundreds of millions spent on the breach, according to Donna Grindle, President of Kardon in Tucker, Georgia.
On a podcast Grindle hosts for Kardon, she lists the funds Anthem spent in remediation including:
· $2.5 million for expert consultants
· $115 million on security upgrades
· $31 million to notify patients affected
· $112 million for credit protection for patients impacted
· $115 million on a civil suit filed by more than 19 million of the affected patients.
This totals a hefty $375.5 million before OCR even fined Anthem. Grindle said the company’s corrective action plan could continue for years to come, meaning the organization will likely be dedicating money and resources toward this breach (which occurred in 2014) well into 2020.
A corrective action plan of the scope Anthem has “is not something you can spend an hour a week on,” which is what Grindle suggests her clients do to manage HIPAA compliance to avoid these breaches in the first place.
Though large health systems like Anthem can spend millions on IT security, they often “fail miserably” when it comes to the basics, said Richard Staynings, Senior Vice President and Chief Security and Trust Officer for Clearwater Compliance, LLC, based in Nashville, Tennessee.
He sees organizations dealing with breaches because they allow doctors to copy patient information and take it home on USB drives, or forget to remove former employees from the system.
“Doctors tend to tell the office manager, ‘Go read up on this (HIPAA) and make sure we are meeting the standards,’” he said. This is so complicated, however, that doctors in small practices need to partner with experts “who can understand the potential weaknesses that could come back to bite them.”
Anthem, Staynings said, was “lulled into a false sense of security” because the company had received the Health Information Trust Alliance (HITRUST) certification. HITRUST is an IT security framework that can act as an umbrella that, when implemented, is meant to cover various regulations and standards, including those of HIPAA and the Health Information Technology for Economic and Clinical Health. Unfortunately, securing an organization through HITRUST does not always result in meeting all HIPAA requirements, Staynings said. For instance, HITRUST might not take steps to identify an organization’s vulnerabilities or evaluate whether the organization’s risk analysis is up to HIPAA standards. OCR, he said, recommends using guidelines from the National Institute of Standards and Technology.
Regardless of the kind of external assessment that is done, an organization would be remiss to assume any of them will solve all of its HIPAA issues, Hicks said. “Those are all point-in-time assessments,” he said. “Security is a program that takes ongoing maintenance. After the final report is received, what happens, then?”
A risk analysis will shine a light on areas that need improvement. He, too, sees inventories of protected health information that are incomplete, outdated, or inaccurate, as well as policies and procedures lacking required practices and organizations that fail to ensure that their vendors are safeguarding data. While Anthem was certified against the most comprehensive framework (HITRUST CSF), the organization failed to include the compromised environment in scope. Additionally, the organization failed to perform a risk analysis. Not performing a risk analysis—or having a bad one—likely puts organizations under a category OCR calls “willful neglect.”
“If they flat out didn’t do anything to prevent a breach, the fines will get pushed up higher,” Hicks said. “If they did something to prove that they had some level of due diligence, the fines go down a bit.”