Skip to main content
MJH Life Sciences
  • Login
  • Register
  • Login
  • Register
Home
  • Topics
  • Health IT
  • Careers
  • Law/Malpractice
  • Compensation
  • Pearls
  • Staffing
  • Contribute to Site
MJH Life Sciences

SUBSCRIBE: eNewsletter

If it could happen to Anthem, could it happen to you?

  • Kyle Haubrich, JD
  • Jacob Grimes, JD
October 25, 2018
  • Health IT, Compliance, Health Law and Policy, HIPAA, Law & Malpractice, Risk Assessment, Risk Management, Technology

Earlier this month, the Department of Health and Human Services’ Office of Civil Rights (OCR) issued a press release stating Anthem would pay the OCR $16 million, the largest-ever HIPAA settlement, following the largest-ever health data breach in U.S. history. This settlement nearly triples the previous high of $5.5 million that Florida-based Memorial Healthcare System paid the OCR in 2016.

OCR Director Roger Severino stated in the press release that, “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Director Severino continued, “We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Unfortunately, this is not where Anthem’s issues ended. The release finishes by stating that, “In addition to the impermissible disclosure of electronic protected health information (ePHI), OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014.”

This begs the question: If this could happen to Anthem, which failed to prospectively and retroactively address its HIPAA compliance issues despite having ample resources to do so, could this happen to a solo or small practice group that does not have the same resources? The answer is, uncontrovertibly, yes.

In the last several months, ransomware and other cyberattacks have targeted solo and small practices causing an overwhelming number of patient medical and personal information breaches. What can solo and small practices do to protect themselves from such attacks? Here are three suggestions:

 

1. Perform a practice-wide risk analysis and address security gaps.
 

OCR’s press release states Anthem failed to conduct an enterprise-wide risk analysis. If Anthem had done this, the severity of the hack could have been lessened. Small or solo practices must conduct a risk analysis rather than simply they do not get audited. But, it is not enough to simply conduct a risk analysis—the covered entity must also address identified risk gaps and work to close them. The worst thing a practice can do is conduct a risk analysis and do nothing with the results.

From OCR’s perspective, if the practice conducts a risk analysis, it means they know where the risk gaps are. If the practice knew about the risks, but failed to do anything about them, fines tend to be larger. Therefore, practices must conduct a risk analysis and proactively address the identified risk gaps. Failure to do so could lead to an attack and subsequent penalties.

Pages

  • 1
  • 2
  • next ›
  • last »

Related Articles

Resource Topics rightRail

  • Resource Topics
  • Partner Content
  • Medical Billing & Collections
  • Coding
  • Patient Relations
  • EHR
  • Law & Malpractice
Why Patient-Centered RCM: 6 RCM Trends Affecting Medical Offices & Patients [eBook]
Across Generations: Millennials & Baby Boomers Advance Healthcare Communications
A buyer’s guide to alternative payment models
How adopting a virtual business office delivers new efficiencies to one medical group
Unpredictable pairings: A new approach to community health
Connect with Us
  • Column 1
    • Home
    • About Us
    • Contact Us
  • Column 2
    • Editorial Info
    • Editorial Board
  • Column 3
    • Advertising Info
    • Reprints
    • Advertising Terms
  • Column 4
    • Terms of Use
    • Privacy Policy
Modern Medicine Network
© UBM 2019, All rights reserved.
Reproduction in whole or in part is prohibited.

We've noticed that you're using an ad blocker

Our content is brought to you free of charge because of the support of our advertisers. To continue enjoying our content, please turn off your ad blocker.

It's off now Dismiss How do I disable my ad blocker?
❌

How to disable your ad blocker for our site:

Adblock / Adblock Plus
  • Click on the AdBlock / AdBlock Plus icon on the top right of your browser.
  • Click “Don’t run on pages on this domain.” OR “Enabled on this site.”
  • Close this help box and click "It's off now".
Firefox Tracking Prevention
  • If you are Private Browsing in Firefox, "Tracking Protection" may casue the adblock notice to show. It can be temporarily disabled by clicking the "shield" icon in the address bar.
  • Close this help box and click "It's off now".
Ghostery
  • Click the Ghostery icon on your browser.
  • In Ghostery versions < 6.0 click “Whitelist site.” in version 6.0 click “Trust site.”
  • Close this help box and click "It's off now".
uBlock / uBlock Origin
  • Click the uBlock / uBlock Origin icon on your browser.
  • Click the “power” button in the menu that appears to whitelist the current website
  • Close this help box and click "It's off now".