John Shegerian, Co-Founder and Executive Chairman of ERI, the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States, has called the recent record HIPAA settlement by Anthem a “dire warning for the entire healthcare industry” regarding how seriously cyber threats must be taken.
Federal regulators hit health insurer Anthem Inc. with a record $16 million HIPAA settlement as a result of a cyberattack revealed in 2015, which impacted nearly 79 million people. In announcing the record HIPAA fine, regulators noted the insurer failed to take several basic security steps, including conducting an enterprisewide security risk assessment. The Department of Health and Human Services’ Office for Civil Rights said Anthem agreed to take “substantial corrective action” to settle potential HIPAA privacy and security rules violations after a series of cyber attacks led to the largest ever US health data breach, exposing electronic protected health information.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in a recent report.
“The situation Anthem found itself in is deeply regrettable, but avoidable,” said Shegerian. “In fact, with the massive increases in cybercrime and hardware hacking, the entire healthcare sector has an uphill battle to fight in terms of protecting its digital data if it is to protect patient privacy and meet all HIPAA regulatory standards.”
In 2015, Anthem filed a breach report with the HHS OCR detailing that cyber thieves had gained access to its IT system “via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.” After filing a breach report with OCR, Anthem discovered the attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary; at least one employee responded to the malicious email and opened the door to further attacks, OCR reported.
And despite it being the largest hack on record, Anthem is far from alone. In the second quarter of 2018, 3.15 million patient records were compromised in 142 healthcare different data breaches, according to a report from the Protenus Breach Barometer. Plus, 30 percent of these privacy violations involved repeat offenders, indicating that health systems accumulate risk that compounds over time.
Shegerian warns that cyberspace is only one avenue of exposure and that hardware may be an even more sensitive target.
“Cyber crime in the healthcare sector is rampant, and hardware hacking in particular, is an area that an alarming number of organizations are simply not prepared to confront,” added Shegerian. “Even if ‘wiped of data’ in the traditional sense, computers, cell phones, tablets and other devices used in medical scenarios, at the end of their life cycles pose a massive risk. Because the technology that organizations use may contain components that store sensitive information, health-related organizations must take this problem very seriously to avoid exposure and potential HIPAA regulation violations. Unfortunately, hackers have become more sophisticated, leading to an urgent need for responsible and fully integrated ePHI and PHI services.”