On October 15, 2018, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced its largest enforcement settlement to date. Anthem, Inc. will pay OCR $16 million and implement a substantial Corrective Action Plan, pursuant to the settlement. This settlement amount is almost three times larger than OCR’s previous record settlement of $5.55 million with Advocate Health Care Network. OCR imposed such a large fine due to Anthem’s significant cyber security vulnerabilities, but also because Anthem failed to institute sufficient security policies and procedures to prevent and respond to such an incident. In many organizations, cyber security is specifically handled by the IT departments while broader HIPAA compliance falls under the realm of the HIPAA Security Officer. This recent settlement provides a strong warning that these two departments should work hand-in-hand to effectively tackle cyber security.
On March 13, 2015, Anthem notified OCR that cyber-attackers had gained access to its IT system in January 2015. The attack was an “advanced persistent threat attack” where attackers used a vulnerability created by a previous spear phishing email sent to an employee of Anthem’s subsidiary. This allowed the attackers to gain access to the system and launch further attacks. OCR’s subsequent investigation found that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the electronic protected health information (ePHI) of almost 79 million individuals. OCR also found that Anthem lacked appropriate measures for detecting cyber threats, and failed to conduct an enterprise-wide risk analysis, create sufficient procedures to regularly review system activity, timely identify and address suspected or known cyber threats, and have adequate minimum access controls in place. These are important aspects of any HIPAA Security Rule compliance program.
Tips for Strong Security Rule Compliance
- Conduct periodic risk analysis of ePHI vulnerabilities and identify ways to mitigate/remediate risks.
- Focus additional security efforts on the most vulnerable or valuable files, such as patient records.
- Train employees on an ongoing basis to monitor email carefully, identify and report possible phishing attacks, and to not open attachments from unknown parties.
- Develop a business continuity plan to prevent down time in the event of a cyber-attack.
- Assign cyber security responsibilities to someone in a senior position in the organization.
- Maintain written disaster recovery plans for cyber-attack incidents.
- Update and patch systems regularly to prevent intrusions.
- Conduct regular systems tests to flag vulnerabilities.
- Train employees to recognize and prevent cybercrimes, and regularly test employees to make sure they are not falling for phishing e-mails and other common cyber-attack methods.
- Limit employee access to systems on a need-to-know standard.
- Have offline storage of data and establish real-time backup to allow work to continue if there is a system issue.
- Establish a patching schedule, and make sure patches are updated to protect from the latest cyber security threat.
- Configure email servers to block zip or other files that are likely to be malicious.
- Ensure frequent data backups to permit restoration of lost data in the case of an attack.
- In the event of an attack, disconnect infected systems from a network, disable Wi-Fi, and remove USB stocks or external hard drives from infected computer systems.
These security and compliance tips will provide a starting point for your organization to act in a quick and organized manner to prevent, detect, isolate, and mitigate a cyber-threat.