Since Anthem experienced a cyber attack on their IT system in December 2014, the threat of personal data being breached has been repeatedly highlighted in recent articles. The Anthem security breach may have exposed 78.8 million customer and employee records with names, birth dates, social security numbers, addresses, phone numbers, email addresses, and member IDs. This incident marks the largest data breach to ever affect the health care industry.
Anthem was not operating using cloud technology, and healthcare data had been stored in servers within their own building. The investigation into the breach is ongoing, and no formal information has been released on who may have compromised the database.
Following the Anthem breach would be the time to take a look at your internal security controls, and develop a strategy to deal with a security breach, if the unexpected ever arises.
Internal Security controls
We have previously blogged on the security controls offered through the Salesforce platform. These types of security controls should be implemented in any business, regardless of whether data is stored in the cloud or in an internal server.
Here at ClaimVantage, we use a secure LastPass system to store all internal usernames and passwords. This system makes it impossible for unauthorized users to access any data; user restrictions also ensure each employee can only access the data necessary to complete their tasks. This system also determines the strength of passwords stored, detects repetitive passwords, and prompts necessary password changes. Regular security audits are also carried out to ensure all data is safe, and never transferred using unsecure means.
Under HIPAA, health plans are required to conduct security risk assessments at least annually, and whenever changed circumstances warrant. This assessment may identify potential threats, vulnerabilities, and risks to protected personal data. Identifying these threats allows a business time to strengthen internal security controls.
In the unlikely event that your system is ever compromised, it is important to have previously devised a strategy to deal with the situation. This will aid in the recovery process; assisting affected parties, discovering the source of the breach, and ensuring it never happens again.
There are a few elements to consider in this step:
- Determine a role for each responsible party. Who will make HIPAA, Federal, and state law notifications? Who will notify the media? How will affected parties be notified? Who is notified first?
- Limit the damage. Notifying affected parties and the media promptly, using a consistent message will assist in assuring affected parties that the situation can, and will be, handled appropriately.
- Don’t jump to conclusions. It’s ok to reveal that an investigation into the breach is ongoing, but it’s unnecessary to try and guess where the data was breached, for fear of passing out incorrect information. Investigate the manner thoroughly, releasing a statement to let the affected parties know that the situation is under investigation, and you are taking the breach seriously.
A security breach is a rare occurrence for any business. Although when they occur it can damage reputations, and take a long time to build back. Limiting the risk of this happening to you is the best security you can offer your business. A recent survey determined that 61% of senior IT and business decision makers in the UK had concerns over data security, although only 2% had actually experienced a cloud-related security breach.
According to Scott Nicholson, information assurance and security manager at Cloud Integrator Adapt, working with “a provider that specializes in delivering cloud services is likely, by definition, to have stronger security and operational controls, and more experience than an IT department functioning as a single business unit.”
If you are considering moving to the cloud, contact us today to discuss cloud technology and healthcare data.