Lessons Learned from Recent Data Security Breaches, Part Two
In Tuesday’s post, I discussed how the recent data breaches at Anthem, Inc. and Target occurred. Today’s post will turn to the implications of these breaches under HIPAA/HITECH rules and what health providers can learn from them.
Because controlling access is essential to protecting privacy of PHI under HIPAA, the HITECH Security Rule essentially requires that a covered entity control physical and electronic access to the data system by implementing policies and procedures for ensuring that only authorized persons access the data system. A covered entity also needs to be able to track the users accessing the system in order to identify potential security breaches, including stolen access information.
The Anthem and Target data security breaches indicate substantial challenges for all covered entities under the Security Rule. The Anthem and Target breaches reveal the security threats coming from unauthorized users targeting authorized users, especially employees, and the schemes, such as phishing campaigns or browser exploits, to obtain employees’ access information or virtual keys to the system. Once a hacker has stolen the keys to the system from an employee, he/she can be inside the system before being noticed. In addition, the Target breach underlines the importance of monitoring and restricting a third party vendor and its employees’ access to a covered entity’s data system.
Because the Anthem breach was targeted at stealing employees’ access information, covered entities need to review and improve their compliance policies and procedures regarding the prevention, detection and reporting of the theft of employees’ access keys (usernames, passwords). Moreover, covered entities also need to consider whether their employees need more intensive training on how to quickly detect and avoid hackers’ schemes and tools. Covered entities could also test their employees’ ability to recognize and delete a phishing email by sending fake phishing emails.
These security breaches illustrate the need to (a) carefully control access to systems with ePHI, (b) create meticulous and restrictive policies on access to these systems, and (c) rigorously train all applicable employees on compliance with these policies.