Earlier this year, Anthem, Inc. agreed to pay $16 million to settle claims brought by the Office of Civil Rights of the U.S. Department of Health and Human Services. The claims followed the March report to that office of a breach discovered at the start of 2018 that exposed protected health information of 79 million people for a period of time between December 2014 and January 2015. This settlement amount eclipses the previous high of $5.5 million paid by Memorial Healthcare Systems for the breach of PHI relating to 115,143 individuals. While the number is certainly high, it is actually a good result for Anthem, as their penalty worked out to $4.94 per person while MHS was $47.77 per person.
The circumstances leading to both breaches are similar and sadly, all too common. In both cases, the organization failed to detect the unauthorized access to protected information by someone accessing that information without authority. In the case of Anthem, it was by someone external to the organization who obtained the credentials through a “phishing” scam. The MHS data was accessed by unauthorized affiliated physician office staff and employees through the use of a former employee’s credentials.
And last week, a former staffer at the Federal Deposit Insurance Corp. was convicted of stealing confidential regulatory filings and copying them onto a USB drive, allegedly to prepare for job interviews. This also underscores a lack of audit trails and access controls; and a violation of security policies.
Audit Controls Can Alert Organizations to a Breach Sooner
Every organization has employees who will either deliberately or accidentally violate policy and training. There are a host of controls relating to awareness training, and these are an important part of any cybersecurity and privacy program. Properly implemented, they reduce the frequency of these occurrences. But no matter how thorough the training, sometimes it will fail. To guard against this possibility, organizations need controls in place to detect the event.
The National Institute of Standards and Technology has a number of thoughtful publications devoted to improving cybersecurity and privacy practices, and has made a special effort to make these relevant for the private sector in addition to the government agencies it serves. Two in particular address these breaches: the cybersecurity framework and its controls, published in Special Publication 800-53. These two publications are related but different. The framework outlines the tasks an organization must undertake to implement a successful program; while the controls have the unique elements that should be implemented to make the program work.
The number of controls found in 800-53 is admittedly daunting. Relating them to the framework is difficult, and assessing them for proper implementation and efficacy is even harder. Moreover, determining which controls are required by HIPAA, whether additional controls should be implemented (even if not explicitly mentioned by regulation), and whether to consider additional requirements from other cybersecurity regulations or contractual obligations all make the work even more complex.
Cybersecurity Program As Dynamic Document
The development of these programs transects many aspects of an organization including risk appetite, compliance, regulatory matters, technology and business operations. If done in a vacuum, a poor policy becomes nothing more than “shelfware” appreciated only by the compliance and legal departments of an organization during an annual review.
Harris Beach has significant experience working with the various stakeholders to develop cybersecurity programs that will actually persist as dynamic documents. As a display of our commitment, we have created an affiliate technology company, Caetra, to deliver an initial compliance program addressing a number of regulations, including HIPAA, so that clients can start to address these issues and avoid these types of fines. if you are interested in reducing your risks under HIPAA, contact one of our attorneys to discuss how our firm or Caetra can help reduce your compliance risks.