As details continue to emerge following the recent hack attacks on payers Anthem and Premera--in which information for close to 90 million consumers combined may have been put at risk--perhaps the most disturbing revelation of all is that, in both instances, neither entity appears to truly take security seriously.
Premera, for instance, knew three weeks prior to the initial penetration of its systems in May 2014 that network security issues loomed large. A report sent by the U.S. Office of Personnel Management's Office of Inspector General detailed several vulnerabilities, including a lack of timely patch implementations and insecure server configurations.
The findings were so bad, they prompted OPM to warn Premera, "failiure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached." In addition, OPM told the Mountlake Terrace, Washington-based insurer that failure to remove outdated software would increase the risk of a successful malicious attack on its information systems.
"Promptly" to Premera apparently meant eight months down the road. And one month after its self-imposed Dec. 31, 2014, deadline to resolve its issues, guess what the payer found?
Just imagine how much damage could have been spared had Premera acted with more haste.
In Anthem's case, negligence continues to persist. The nation's second-largest payer has refused to allow a federal watchdog agency to perform vulnerability scans and compliance tests on its systems in the wake of its massive hack attack. It also prevented auditors from adequately testing whether it appropriately secured its computer information systems during a 2013 audit, citing corporate policy prohibiting external entities from connecting to the Anthem network.
Corporate policy is all well and good, but it's not going to mean squat to a consumer two years from now when Anthem's complimentary credit monitoring wears off and the hackers begin wading through the treasure trove of stolen information. As one of those consumers, it would be nice to hear Anthem take the advice Shaun Greene, chief operating officer of Salt Lake City-based Arches Health Plan, who told my colleague Brian Eastwood last month that payers should hire third parties to conduct HIPAA risk assessments.
"That way, you avoid internal posturing and receive objective feedback," Greene said.
Following last summer's massive Community Health Systems breach--and on the heels of other high-profile cybersecurity attacks--it appeared earlier this year that the healthcare industry was finally starting to truly prioritize information protection.
That's not to say that the majority of the industry doesn't take such matters seriously. But it's disappointing to see that some of its biggest players seem to feel differently. - Dan (@Dan_Bowman and @FierceHealthIT)