5 HIPAA Lessons From the Anthem Cyber Attack

Another major hack has come to light. Anthem, Inc. was the victim of a cyber attack. They reported that no patient health records have been compromised, but they think Social Security Numbers, addresses, and policy numbers were revealed.

This is a nightmare for everyone affected because Social Security Numbers are worth a lot more than some credit cards.¹ A credit card can be shut down pretty quickly with minimal damage. A compromised Social Security Number opens the door to even more possibilities: fraudulent tax returns, loans, credit cards, etc.

What are the HIPAA lessons we can learn from this attack?

1. Security Audit – Have you done your Risk Assessment that is required under HIPAA? If you have, when was the last time you updated it? If it’s been more than a year, it’s a good idea to revisit it now. Performing a Risk Assessment makes good business sense for all businesses, not just carriers.
2. Encryption – Are you encrypting all information stored or transmitted from your devices? The information that was stolen from Anthem wasn’t encrypted. Anthem spokeswoman Kristin Binns told The Wall Street Journal that the company encrypts personal data when it’s moved in or out of the database but not when it’s stored, 2 a practice she said is common in the industry. Make sure you are encrypting that data in all phases – transit, rest and storage.
3. Firewalls – This can be a hardware device, software configuration, or a combination of both. You will want to block all traffic, and then whitelist connections as you need them. This can help keep hackers out of your systems.
4. Passwords – Have you recently required password changes for all computer systems? Are you requiring strong passwords? This means at least 8 characters, capitalizations, numbers, and special characters if your system supports this. Weak passwords are an open invitation to hackers.
5. Training Employees – We don’t know any details on how the hackers were able to access the databases, but make sure your employees know your policies on protecting data in your company or practice.

These steps are not foolproof but can make you less of a target, and make it a little harder for a hacker to get into your systems. Why would a hacker mess with you when there are easy pickin’s elsewhere?

What have the folks at Anthem done properly in dealing with this Breach?

1. Notify Law Enforcement – If you discover a Breach, your first step is to work with your Security Officer to determine the extent of the Breach. In the case of the Anthem Breach, they contacted the FBI for assistance with this case.
2. Internal Security Audit – You will want to figure out how you were hacked. Anthem is working with a major IT firm to harden their systems and find out how this happened.
3. Notify the Public – A Breach of over 500 individuals’ information requires that you notify local media outlets with information on what has happened and how to contact you. Then post the information on a conspicuous place on your website. Anthem issued a press release, and set-up a website with all the information they know about the Breach.
4. Contact Clients/Patients – You are required to contact all clients and patients that have had their information compromised. Anthem is in the process of determining the extent of the Breaches. They have stated they will be directly contacting those whose information has been compromised.

Anthem is to be commended for the speedy actions they have taken. What remains to be seen is how their systems were compromised. Were they lax in their cybersecurity, was it a poor policy, or will we learn there were software issues? This Breach is a reminder to us all too frequently review our Security Policies and Procedures, and make sure our systems are as secure as possible.

1. http://fortune.com/2015/02/05/why-health-hacks-are-worse-than-credit-card-hacks/

2. http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560

Sharing is caring!