HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Warning: Health Insurers Must Conduct A Full IT Security Audit

A HIPAA data breach affecting 150,000 individuals is shocking. A breach involving 11 million individuals is astonishing. Both incidents have occurred this month, with the latest mega data breach affecting almost three times the number of individuals as the Community Health Systems data breach of last year, making it the largest healthcare data breach of all time, eclipsing the Tricare breach of 2011 that exposed 4.9 million records.

It is clear that the healthcare industry has now entered a new era, where companies are being targeted by criminals who are looking to steal data on a monumental scale. Health insurers make attractive targets as they hold the personal information, health data and Social Security numbers of tens of millions of consumers and in many cases, network security measures are not particularly robust.

Huge Rewards for Hackers

According to a recent report issued by Price Waterhouse Coopers – Managing cyber risk in an interconnected world: key findings from the Global State of Information Security – the value of data is considerable. The report states that “A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each.”

What is particularly concerning is that the two mega data breaches to hit the industry this year – the 78.8 million-record breach at Anthem and the 11 Million record breach at Premera – were not just “smash and grab” incidents. The individual – or individuals – responsible entered the insurers’ computer systems and had months to take what they wanted.

Please see the HIPAA Journal Privacy Policy

A Wake Up Call for the Health Insurance Industry

The past two data breaches should serve as a wakeup call for Health Insurers and should prompt them to conduct full security audits of their IT systems.

If controls have not been implemented to limit what the staff is able to download, no IT security monitoring system has been installed to identify malware, or logs are not made of PHI access attempts, it is probable that a data breach may not even be detected if it has occurred. Many HIPAA-covered entities are likely to find out that security vulnerabilities in their systems cannot just be exploited by hackers, but that they have already been exploited and that PHI has already been stolen.

The recent 150,000-record hacking incident at Advantage Dental highlights the importance of robust data security measures. The healthcare provider had implemented an intrusion detection system which was able to identify the improper accessing of PHI. The breach was not avoided, but the damage caused was certainly limited.

What does HIPAA Say About Healthcare Data Security?

The Health Insurance Portability and Accountability Act requires all covered entities to conduct a comprehensive risk analysis to assess all systems, policies and procedures for potential security vulnerabilities which could be used by hackers and thieves to gain access to Protected Health Information. If a full risk analysis is not conducted, it is impossible to determine whether all security holes have been plugged.

The Risk analysis also cannot be a onetime event, as while all issues should be identified – and those risks managed – procedures, policies and IT systems change. The risk analysis must therefore be an ongoing procedure, and should be conducted regularly to ensure that systems – and the PHI stored in them – remains secure.

Measures to Take to Prevent HIPAA Data Breaches

It may not be possible to prevent all HIPAA data breaches, although actions can be taken to make it harder for criminals to access, view and steal PHI and to limit the damage caused if IT systems are compromised. These actions can also help healthcare providers and insurance companies from being issued with financial penalties and will limit liability in negligence lawsuits.

These measures include:

  • Performing a full risk analysis to identify vulnerabilities
  • Acting on all findings and effectively manage risk
  • Implementing an intrusion detection system
  • Monitoring , logging and auditing PHI access
  • Configuring systems to automatically install antivirus updates
  • Patching all servers and devices used to access PHI as soon as updates are released
  • Routinely scanning internal systems for malware and viruses that could have escaped detection
  • Training all staff on HIPAA Privacy and Security Rules and responsibilities under this legislation
  • Training staff on how to identify viruses, malware and phishing attempts
  • Encrypting All PHI in storage and in transit

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.