On Friday, attorneys announced a $115 million settlement to customers affected by the 2015 Anthem data breach. It is believed to be the largest settlement related to a data breach in history. Approximately 79 million people were affected by the breach. The settlement funds will be used to provide two additional years of credit monitoring to affected individuals or cash for those already enrolled in monitoring. This is in addition to the initial two years of credit monitoring previously.
The February 2015 breach was caused by an unknown hacker who accessed a database with personal information. There has been no evidence that the information was released on the cybercrime underground, which leads some to theorize that it was the work of a state-sponsored hacker.
This settlement is in additional to the $260 million of security improvement, remediation and clean-up which followed the breach bringing the total costs associated with this breach to $375 million.
As you probably heard, a massive ransomware attacked swept through networks around the world on Friday. It appears to have started in the healthcare industry, thus underlying the vulnerabilities within the entire industry. While the ways to defend or prevent this attack are nothing new, here are the three things you should do right now.
- Update All Patches: Wannacry exploits a vulnerability in the Windows OS. Microsoft has released a patch to correct this vulnerability, including for Windows versions it technically no longer supports. Be sure ALL patches, especially Windows patches, are up to date on all workstations and mobile devices.
- Re-Train Staff On E-mail Best Practices: Wannacry is initially delivered through an e-mail attachment or link. You should remind all staff immediately to be aware of ALL links and attachments they receive, especially in the next few days. Everything about an e-mail with a link or an attachment should be scrutinized before opening a link or downloading an attachment. If anything seems suspicious or out of place, contact the sender to confirm its authenticity or contact your IT manager for further instructions.
- Validate Backups: If patching and training are ineffective, your last line of defense against WannaCry is having up to date backups that are segmented from the rest of your network and are conducted with a high degree of frequency. You should also have recently tested your backup to ensure you can restore your systems if necessary.
Despite what you might have heard in various news reports, we expect this ransomware attack to continue to spread for the next several days or weeks. You should take these three steps immediately to prevent your organization from falling victim to this attack. We will send additional updates as new information warrants. Let us know if you have any questions.
No one likes to think about it, but malicious attacks by an insider and other insider threats are the cause of a significant number of healthcare data breaches. They can be from a disgruntled employee, a recently terminated member of the staff, or even someone who is being bribed to provide patient information. While they may be some of the hardest attacks to guard against, they are preventable. Here are a few steps to keep in mind,
Screen New Hires: One of the best prevention methods is to not hire someone who turns out to be a malicious employee in the first place. You may consider completing a background check on all new hires and even periodic checks on current staff members. While not an exact science, it may help to identify potential bad actors before they cause any damage;
Terminate Employees Immediately: Often when employees leave any organization there can be hard feelings which potentially leads to irrational decisions. To help guard against this, you should terminate all access to PHI immediately upon the employee leaving the organization. Any delay in terminating access can leave you susceptible to the whims of a disgruntled former employee;
Perform Regular Access Audits: Having a process in place to review logs of who within your organization is accessing PHI and what they are accessing can be a helpful tool in spotting a snooping employee. To truly be effective, the logs need to be reviewed on a consistent basis to identify an employee who is accessing PHI unnecessarily or to pick up suspicious patterns of access; and
Train Staff on Sanctions: Training should include information that outlines the sanctions that can be imposed (both by you, the employer, and the authorities) for malicious actions involving the access or disclosure of PHI.
Admittedly, guarding against insider threats is a challenge, but it is possible. If you implement reasonable protections then you can prevent or stop nefarious actions by your staff.
Last week the Department of Health and Human Services Office for Civil Rights (“OCR”) announced another large HIPAA fine. This instance is a $5.5 million fine with Memorial Healthcare System (“MHS”). Unfortunately, some of the issues that led to the breach, and thus the settlement, were highly preventable, and therefore are worth pointing out. The primary issues included,
Failing to implement its own policies and procedures for modifying/terminating access to PHI;
Failing to review records of PHI accessed by staff; and
Failing to act on risks identified during a security risk assessment.
Specifically, for over a year MHS failed to close the account of a terminated employee. That account was used to access PHI affecting more than 80,000 individuals.
This highlights the need for several things. First, you must have a specific process in place to terminate accounts when employees leave. This typically requires HR and IT to work closely together. If you don’t have a smooth process, consider working closely with both departments to establish a consistent procedure.
Second, you should periodically review who is accessing PHI. If MHS had done this they would likely have noticed that an account of a terminated employee was not only still active, but was being utilized to access PHI. As we have discussed in the past, the reviews can be a high frequency sample that is conducted on a consistent schedule, rather than an exhaustive review of all accounts and access levels.
Additionally, MHS identified many of these items as causing potential risk to the organization through several Security Risk Assessments. However, it failed to do anything to remediate the issues. Much significance has been placed on conducting a risk assessment, but little has been done to highlight the need that identified risks need to be corrected. One output of your risk assessment should be a prioritized list of items that need remediation. You should be establishing milestones along the way to correct these issues and tracking your progress.
Finally, MHS failed to implement the policies and procedures it had in place on many of these issues. Having policies and procedures that outline your safeguards is important, but following your documentation is absolutely critical. HIPAAcompliance is as much about compliance with your own policies and procedures as it is doing what the rule requires. This is one reason why it is important to frequently review your policies and procedures to ensure you are doing what those documents outline.
In summary, this large breach fine highlightsthe fact that protecting patient information is not about high tech solutions, but rather about doing the little things. Not doing some basic tasks compounds the issues and exacerbates the damage.
Covered Entities and Business Associate must report breaches of PHI in a timely manner. In most states, you will have up to 60 days (without unreasonable delay) from the time of the discovery to notify the individual, however, your state may have shortened that timeframe. For breach notification to the U.S. Secretary of Health and Human Services there are two potential times for notification. For breaches affecting more than 500 people, it must also be within 60 days of discovery (without unreasonable delay). For breaches that occurred in 2016 and affected under 500 people, they must be made to the Secretary before Thursday, March 2, 2017. Instead of sending HIPAA breach notification letter, these breaches should be submitted via the electronic breach report.
As a reminder, you must consider the following factors when determining if a breach occurred,
- The nature and extent of the PHI involved, including the type of identifiers and the likelihood of re-identification;
- The unauthorized person to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
If you can determine through this analysis that there is a low probability the PHI was compromised, then a breach did not occur and notification is not necessary. However, if you determine that it was anything more than a low probability the PHI was compromised, then a breach did occur and must be reported.
By way of summary, all breaches must be reported to the individual and the to the Secretary of HHS. If you had breach in 2016 affecting under 500 people, the deadline for you to notify the Secretary is March 2.
In a recent survey, privacy, security and risk management leaders felt employee negligence was the largest privacy and security threat. Given the number of recent breaches caused by malicious cyber-attacks, this is an interesting observation by the professionals in the field. Furthermore, over 50% of respondents believe healthcare will remain the industry most at risk in 2016.
What do you think is the largest privacy and security threat in your organization? What are you doing to prevent a breach? To face challenges, a majority of respondents are increasing their budgets for privacy and security protections. If your budget is limited, there are ways to put cost-efficient safeguards in place. Some suggestions include,
- Send periodic e-mail reminders to your staff about specific safeguards (access controls, passwords, minimum necessary rule);
- Check that patches (including on mobile devices) are up-to-date; and
- Verify that your business associates or subcontractors have implemented their own safeguards.
Updated HIPAA Audit Whitepaper
The HHS Office of Civil Rights now says the HIPAA audits will start soon. Take a look at our most recent whitepaper to learn what you can do today to prepare.