Certainly, to their credit, the organization wanted to demonstrate their commitment to protecting their members’ data.
But when it comes to assurances and insurance in general, one
must read the fine print. An article titled “Did Anthem’s Security Certification Have Value?” by Marianne McGee, published
on BankInfoSecurity.com, questioned the HITRUST common
security framework (CSF) certification process. HITRUST responded that their certification process is based on a defined
scope and the system breached was not in scope of their CSF
Similarly, purchasing cyber liability insurance without
properly complying with all aspects of the requirements or
scope of that particular policy will not cover all that’s needed
in the case of a security incident. If the organization has failed
to complete detailed tasks specifically called out in the fine
print in order to validate the policy, claims against the policy
may not be paid. Stated another way, if the cyber policy says
that an organization must train employees in HIPAA privacy
and security awareness, and that’s not done, the insurance
company is likely to not pay the claim. Or, if they do pay, and
later determine that the organization was not adhering to its
own policies and requirements of the HIPAA Privacy Rule and
HIPAA Security Rule, they could demand a refund for claim
An instance of a claim that was paid and later a counterclaim asked through legal action for reimbursement happened
in California where the healthcare organization had the insurance but no coverage. The important factor in this case comes
as no surprise—at the end of the day, risk analyses and risk
mitigation plans are an organization’s most important security documents. 4
The HIPAA Security Rule requires a risk analysis be completed on all systems and assets where PHI potentially resides.
This is never a one-and-done process. Risk analyses must be
performed annually and for all owned facilities. It is essential
that biomedical devices are not overlooked. Recently, HHS has
published guidance surrounding the vulnerabilities that may
exist with these critical care systems. 5
The Anthem breach was insider-oriented—one employee, one email. Insurance and certifications cannot protect
healthcare organizations from all breach events. One of the
best protections and investments an organization can make is
in ongoing quality cybersecurity education for its workforce.
It is equally important to ensure that business associates are
keeping up with the changes in cybersecurity awareness.
Specific education surrounding the pervasiveness of phishing attacks should be a high-priority item on every privacy officer’s to-do list.
On the security side of the house, security professionals
should find out when the last comprehensive security risk
analysis was completed and updated. This is a task that should
be completed and updated annually, without exception. The
failure to do this was the foundational basis for the denial in
the cyber liability denial claim mentioned above.
Keep the Workforce Vigilant
A thorough, well-planned training program for the workforce
includes information on phishing attacks, what they look like,
how to report them, and how seriously they can affect an organization. This is an imperative for 2019. Conducting an active
phishing campaign can help keep the workforce vigilant and
avoid the problems experienced by Anthem and so many other
There is no certification for HIPAA compliance and even
with the best policies, training, and vigilance, security incidents can and will continue to happen. What health information management professionals can do is keep the workforce
well-informed on the pervasiveness and creative nature of
cybercriminal activity as it may be the best defense in this
ongoing battle. Next, conduct a robust risk analysis process
and update it methodically every single year. Risk profiles
change every year as new equipment and systems are purchased and as new settings and upgrades are incorporated
into existing systems. Finally, keep policies updated and
review incidents with the privacy and security committee
to ensure that a proactive stance is being taken to prevent
new incidents from occurring in the same way they did before. Start now to minimize the risks of a privacy or security
breach in 2019. ¢
1. “$16 Million Anthem HIPAA Breach Settlement Takes
OCR HIPAA Penalties Past $100 Million Mark.” HIPAA
Journal. October 16, 2018. www.hipaajournal.com/16-
2. “Court Approves Anthem $115 Million Data Breach Settlement.” HIPAA Journal. August 20, 2018. www.hipaa-
3. Anthem. “Health Information Trust Alliance Designates WellPoint Common Security Framework Certified Status.” Press release. September 30, 2013. https://
4. Mitby, John. C. “Cyber Liability Insurance: Consider—But
Be Careful as Insurance Company May Deny A Claim.”
Hurley Burish S.C. Attorneys blog. https://hurleyburish.
5. US Food and Drug Administration. “Medical Devices:
Cybersecurity.” www.fda.gov/medicaldevices/digital-health/ ucm373213.htm.
Joe Gillespie ( joe.gillespie@tw-Security.com) is senior privacy/security
consultant, and Susan Lucci ( susan.lucci@tw-Security.com) is senior
privacy/security consultant and privacy officer at tw-Security.