Lessons Learned from Recent Data Security Breaches, Part Two
Thursday, March 19, 2015
Lessons Learned from Recent Data Security Breaches, Part Two
Print Mail Download i

In Tuesday’s post, I discussed how the recent data breaches at Anthem, Inc. and Target occurred. Today’s post will turn to the implications of these breaches under HIPAA/HITECH rules and what health providers can learn from them.

Because controlling access is essential to protecting privacy of PHI under HIPAA, the HITECH Security Rule essentially requires that a covered entity control physical and electronic access to the data system by implementing policies and procedures for ensuring that only authorized persons access the data system. A covered entity also needs to be able to track the users accessing the system in order to identify potential security breaches, including stolen access information.

The Anthem and Target data security breaches indicate substantial challenges for all covered entities under the Security Rule. The Anthem and Target breaches reveal the security threats coming from unauthorized users targeting authorized users, especially employees, and the schemes, such as phishing campaigns or browser exploits, to obtain employees’ access information or virtual keys to the system. Once a hacker has stolen the keys to the system from an employee, he/she can be inside the system before being noticed. In addition, the Target breach underlines the importance of monitoring and restricting a third party vendor and its employees’ access to a covered entity’s data system.

Because the Anthem breach was targeted at stealing employees’ access information, covered entities need to review and improve their compliance policies and procedures regarding the prevention, detection and reporting of the theft of employees’ access keys (usernames, passwords). Moreover, covered entities also need to consider whether their employees need more intensive training on how to quickly detect and avoid hackers’ schemes and tools. Covered entities could also test their employees’ ability to recognize and delete a phishing email by sending fake phishing emails.

These security breaches illustrate the need to (a) carefully control access to systems with ePHI, (b) create meticulous and restrictive policies on access to these systems, and (c) rigorously train all applicable employees on compliance with these policies.

© 2024 by McBrayer, McGinnis, Leslie & Kirkland, PLLC. All rights reserved.

Current Legal Analysis

More from McBrayer, McGinnis, Leslie and Kirkland, PLLC

Businesses Receive Greater Clarity on Obligations under Federal Law
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
Public Improvement Liens on Government-Owned Projects
by: Brendan R. Yates
Providers Wary after First Ruling on CMS 60-Day Rule
by: Christopher J. Shaughnessy
Anheuser-Busch to sell distributorship in compliance with Kentucky law
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
Estate Planning for Same-Sex Couples After Obergefell
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
CMS Sends a Lifeline on Stark after Tuomey Affirmed: What Health Providers Should Know
by: Anne-Tyler Morgan
Disparate Impact Claims Fair Game under the Fair Housing Act
by: Preston Clark Worley
How Should Employers Provide Bathrooms for Transgender Employees? OSHA Has the Answer.
by: Amy D. Cubbage
Congratulations on the Birth of Your New Tax Exemption! (Tax Breaks for New Parents)
by: Matthew Koch
NLRB Protects a New Kind of Employee Activity: Worrying About Your Job
by: Luke A. Wingfield

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins