HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

After the Anthem Breach

After the Anthem Breach | HIPAA Compliance for Medical Practices | Scoop.it
Since the Anthem breach was made public earlier this year, there has been a host of commentary on everything from the need for more data encryption measures to the need for more accountability at the C-level of most health care organizations. While many of these measures may prove to be the new reality, what is clear right now is that most health care organizations will be taking a much closer look at how vendors manage protected health information. This puts the security programs and compliance efforts of Business Associates (BAs) under a microscope.

Vendors handling electronic protected health information (ePHI) need to make sure their services are HIPAA and HITRUST compliance. That not only protects them from the risks of non-compliance, which include potential financial and criminal penalties, but will likely position them as a trustworthy vendor and give them a competitive advantage in the health care market. This article outlines what BAs should know about HIPAA and HITRUST, so they can make informed decisions for their business.

The Landscape

Threats to data security, including ePHI, are ongoing and seem to increase every day. State-sponsored attacks on health care data appear to be rising, concerns about the safety of data in the cloud persist – the list goes on and on. The November 12, 2014 Forrester Research article Predictions 2015: Data Security and Privacy are Competitive Differentiators states, “If your customers don’t trust you to rigorously protect and genuinely respect their sensitive data, they’ll take their business elsewhere. Thus, if your enterprise wants to successfully win, serve, and retain customers, the people, process, and technology that underpin data security and privacy must be critical elements of its business technology agenda.” They go on to add, “Half of enterprises will consider privacy a competitive differentiator.”

Business Associates Defined

Vendors should start by having a clear understanding of whether or not they are a BA. Essentially, if a company contracts with a Covered Entity to perform services on their behalf, and ePHI is involved, they are a BA. Common functions of BAs include billing, data analysis, claims processing and utilization review. Other functions that fall under the BA umbrella include providing managed services, data hosting, mobile applications or software as a service (SaaS).

If defined as a BA, vendors need to understand their responsibilities under the HIPAA Omnibus Rule. BAs have direct responsibility for protecting ePHI and must report these efforts to their health care clients. When it comes to assessments, both HIPAA and HITRUST are designed to safeguard health care information. Beyond that, their objectives are different.

HIPAA Assessments

Once a BA completes a HIPAA security assessment, and all audit recommendations have been resolved, they are considered compliant with the regulatory requirements specifically addressed by the HIPAA Security Rule.

However, when BAs focus solely on the HIPAA Security Rule from a compliance-only perspective – without performing a true risk analysis – there are usually gaps in security controls that mean cyber threats to ePHI have not been fully addressed.
Assessments can become complicated by the fact that HIPAA provides limited guidance to BAs about how to determine risk, so BAs typically need to look for guidance from organizations such as the National Institute of Standards and Technology (NIST) or HITRUST.

HITRUST Assessments

Unlike HIPAA, HITRUST is not a standard or regulation. HITRUST assessments are focused on identifying and resolving risk. They consider compliance with HIPAA regulations but take a broader approach to protecting ePHI.

The HITRUST Common Security Framework (CSF) was developed to provide organizations with a comprehensive, integrated approach to protecting ePHI data in the health care industry. The CSF’s control requirements are scaled based on the characteristics of the organization and systems to be evaluated. It considers all the standards and regulations that apply to BAs and other health care organizations including HIPAA Security Rule requirements, NIST and ISO standards, as well as the plethora of other federal, state and business requirements.
No comment yet.

Anthem Breach Tally: 78.8 Million Affected

Anthem Breach Tally: 78.8 Million Affected | HIPAA Compliance for Medical Practices | Scoop.it

Anthem Inc. now confirms that the health insurer's recent data breach compromised a corporate database containing personal information on 78.8 million individuals. Earlier reports about the breach, which was revealed Feb. 4, estimated the total at 80 million.

Those affected include 60 million to 70 million of Anthem's current and former members, a spokesperson for Anthem confirmed in a statement provided to Information Security Media Group. The remainder include members of other Blue Cross and Blue Shield plans who used their insurance in a state where Anthem operates during the past 10 years, the insurer says.

Anthem, the nation's second largest health insurer, estimates tens of millions of individuals' records were actually stolen, and not just viewed, by the hackers, Reuters reports. In its statement provided to ISMG, Anthem notes that it's continuing to analyze how many members' information was stolen by the hackers. But the company says it anticipates the number affected by theft of data "to be less than the total number of consumers whose data could have been viewed."

The Hill reports that Robert Anderson, who leads the FBI's criminal, cyber, response and services branch, told reporters during a roundtable on Feb. 24 that the bureau is "close" to identifying the hackers responsible for the Anthem breach. But Anderson added that the FBI would not release the identity of the hackers until the bureau is "absolutely sure."

The records for approximately 14 million people in the database are incomplete, which has prevented the health insurer from identifying where the customers had enrolled, according to Anthem's statement. "It is important to note that there is a very low likelihood that these incomplete member records tie to current, active Anthem members," the company says.

The insurer says that information exposed in the breach did not include "credit card information, banking information or confidential health information." But the hack did expose names, dates of birth, Social Security numbers, member health ID numbers, home addresses, phone numbers, e-mail addresses and employment information, including income data, Anthem says.

On Feb. 24, attorneys general in several states issued statements confirming the number of impacted residents. For example, Connecticut Attorney General George Jepsen says the Anthem breach impacted more than 1.7 million residents. And the Minnesota Department of Commerce says the cyber-attack compromised data on more than 30,000 Minnesotans.

No comment yet.

Anthem Refuses Full IT Security Audit

Anthem Refuses Full IT Security Audit | HIPAA Compliance for Medical Practices | Scoop.it

A federal watchdog agency says Anthem Inc. has refused to allow it to conduct vulnerability scans of the health insurer's systems in the wake of its recent massive data breach affecting 78.8 million individuals. Anthem also refused to allow scans by the same agency in 2013.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem has refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency on its systems.

"What we had attempted to schedule for the summer of 2015 was a sort of 'partial audit' - what we call a 'limited scope audit' - that would have consisted only of the work we were prevented from conducting in 2013," an OIG spokeswoman explains. "So this is the second time that Anthem has refused to permit us to perform our standard vulnerability scans and configuration compliance tests."

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Under the standard FEHBP contract that OPM has with insurers, however, insurers are not mandated to cooperate with security audits, the OIG spokeswoman tells ISMG. Sometimes, however, amendments are made to insurers' federal contracts to specifically require the full audits, she says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract, she adds.

The OIG says in a statement that after the recent breach was announced by Anthem, "we attempted to schedule a new IT audit of Anthem for this summer. Anthem recently informed us that, once again, it will not permit our auditors to perform our standard vulnerability scans and configuration compliance tests. Again, the reason cited is 'corporate policy.'"

In its statement, the OIG also notes: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

Anthem did not respond to ISMG's request for comment.

2013 Audit

In January 2013, when the OIG initiated an IT security audit, Anthem imposed restrictions that prevented auditors from adequately testing whether it appropriately secured its computer information systems, according to the agency's statement.

"One of our standard IT audit steps is to perform automated vulnerability scans and configuration compliance audits on a small sample of an organization's computer servers. These scans are designed to identify security vulnerabilities and misconfigurations that could be exploited in a malicious cyber-attack," the OIG says.

The agency says its objective in conducting scans "is not to identify every vulnerability that exists in a technical environment, but rather to form an opinion on the organization's overall process to securely configure its computers."

When the OIG requested to perform this test at Anthem in 2013, "we were informed that a corporate policy prohibited external entities from connecting to the Anthem network," the agency said.

"In an effort to meet our audit objective, we attempted to obtain additional information about Anthem's own internal practices for performing this type of work," the OIG says regarding the 2013 audit. "However, Anthem provided us with conflicting statements about its procedures, and ultimately was unable to provide satisfactory evidence that it has ever had a program in place to routinely monitor the configuration of its servers."

Earlier Findings

Although Anthem refused to allow OIG auditors to conduct the vulnerability testing, the insurer did allow the watchdog agency to conduct an information systems general and application control audit in 2013.

Among the findings of that more general 2013 audit, OIG found that Anthem, formerly known as Wellpoint, "has established a series of IT policies and procedures to create an awareness of IT security at the plan. We also verified that WellPoint has adequate human resources policies related to the security aspects of hiring, training, transferring, and terminating employees," according to the OIG audit report released in September 2013.

That more limited audit report also said in summary: "Nothing came to our attention to indicate that WellPoint does not have an adequate security management program."

However, the OIG says in its March 4 statement, "As a result of the scope limitation on our audit work and Anthem's inability to provide additional supporting documentation, our final audit report stated that we were unable to independently attest that Anthem's computer servers maintain a secure configuration."

After the 2013 partial audit, the OIG says it contacted OPM management about its concerns regarding auditors' limited access to Anthem systems. "After discussions with our office, OPM amended the FEHBP contract to allow a certain degree of auditor access. Since that time, this provision has proven to be insufficient, and we are currently working with OPM to further amend the contract."

No comment yet.