Multi Billion Dollar Catastrophe…

anthem_video

On January 29, 2015, Anthem Inc, a Health Insurance provider in US (second largest in US) reported a discovery of a Cyber Attack in which it is estimated that about 78.80 million health records have been compromised. (Refer here). The incident has sparked many law suits and is expected to impact the information security practices in US and elsewhere. (See report in Fortune)

The data that were accessed by hackers was not encrypted and contained identity details such as the social security numbers. This is a violation of the security requirements under HIPAA-HITECH Act and attracts civil penalty from the department of Health and Human Services (HHS).

 According to the company’s admission, hackers gained access to Anthem’s data by stealing the network credentials of at least five employees with high-level IT access. The data is believed to have been extracted over a period of 6 to 8 weeks during which the attack went undetected. The company claims that the attack was “Sophisticated” but only the investigations will reveal if it was really a sophisticated attack or a simple phishing attack.

This data breach may be the largest in terms of the financial implications on an organization. The company is said to have an insurance cover of US$ 100 million but the claims under this case may far exceed this limit. This could also be a big set back for the Cyber Insurance industry. The black market rate for health data in US is estimated to be around US 470 per record (See this article). The value of the data lost at Anthem in the black market is therefore around US$ 37.6 billion or Rs 2,33,000 crores. The value in the black market for a data is normally 5 to 10% of the potential benefit that can be derived from the data by a buyer. Hence the estimated gross value of the data lost in terms of the potential loss to consumers could be of the order of US$376 billion. (Also see here)

Now Anthem is focusing on its responsibilities under HIPAA-HITECH Act to assist the affected persons to protect themselves from the consequences of identity theft by providing a two year protection service from All Clear ID. (Refer here)Individually the cost of such service is around US$14.95 per month and for the 78.8 million IDs to be protected the total potential cost is Us $28 billion. Of course Anthem may get a much cheaper bulk rate. But the cost is still likely to be of the order of US $ 3 billion. This is besides the cost of sending data breach notices to 78.8 million people by US first class mail.

The net impact of this data breach on the Health Insurance industry, the Cyber Crime Insurance industry, as well as the status of HIPAA implementation across US (extended to Business Associates in India) are likely to be enormous. It will shake the whole industry and perhaps bring in several lasting changes in industry practices.

In the meantime, Anthem has also attracted another controversy by refusing to allow the US regulator the “Office of Inspector General” (OIG) to conduct a vulnerability scan of their systems citing their corporate policy that no external audit is permitted. (Refer here)

The Office of Personnel Management of  OIG  oversees the Federal Employee Health Benefits Program and in the course of such supervision  performs a variety of audits on health insurers that provide health plans to federal employees. Though it is a regulator of sorts, it is not having the same powers available to the HHS which is the regulator under HIPAA which has the powers of audit and imposition of penalty. The powers of the OIG has to be derived from a contract which Anthem believes are non existent.

While at first glance this attitude of Anthem appears to be self defeating from a PR angle, it is likely to establish the primacy of HHS as the sole regulator of Health data breach and resist an attempt by multiple agencies to fish in troubled waters. (Also see here).

Anthem attack itself has resulted from Phishing and now the incident itself has become a source for many other scams involving phishing e-mails offering various services. The collateral damage of this fraud can therefore go beyond the Health Care data breach.  Already suspicions are being aired about the hacking having emanated from China (See here). If these rumors are confirmed the breach may get a “Cyber War” tag similar to the recent attack on Sony attributed to North Korea.

The incident therefore has many dimensions and security professionals need to keep a watch on the developments.

End of the day one wonders…could a better “data encryption under storage” could have prevented this multi-billion dollar catastrophe?

Naavi

hipaa_apnacourse1

Share Button
Print Friendly

USA moves towards “Health Care for All”

The much debated “Obama Care” or “Affordable Care Act” on which the US Government faced a “Shut Down” recently has started getting active. The Act which envisages that every US citizen will get a health insurance at affordable cost without being excluded because of reasons such as “Pre Existing deceases”.

The “Market Places” set up for enrolling public to the scheme where they could apply for eligibility screening and applying for relevant insurance plans has seen nearly 1.9 million persons going through the eligibility determination process since October 1, 2013. An additional 803,077 have been assessed for medicaid and CHIP (Children’s Health Insurance Program) upto November end. Of these, 365,000 have already selected plans from the State and Federal market places .

For those who complete the plan choice by December 23, coverage will commence from January 1, 2014. The enrolment plan will however continue upto March 31, 2014. Those who fail to complete the process and obtain insurance through the process may have to pay a fine of $95 per adult , $47.50 per child or 1% of income whichever is higher.

The implementation of the Obama Care is likely to have a positive impact on the employment creation in USA in several disciplines.

The activity in health care management in USA is now going on at a hectic pace and will have its positive impact on the Indian IT industry also. However Indian entrepreneurs who want to make use of this opportunity need to gear up with better Privacy and Security control measures to meet the strict HIPAA-HITECH Act standards.

Naavi

Share Button
Print Friendly

US Shutdown

The forced shutdown of US Government has now entered the second day and is threatening to affect other economies. For general information we may state that US Shut down has arisen because the House of Representatives dominated by the Republican party has refused to pass the Government budget before the expiry of the earlier budgetary sanction (September 30). The reason is that Republic party does not approve the so called “Obama Care” bill officially known as the “Patient Protection and Affordable Care Act” (ACA) and expenses associated with it which are part of the budget. The shut down has affected 800,000 federal workers  and is expected to cost the economy about $1 billion a week. This is the first such event since 17 years and is likely to leave an indelible mark on the Obama administration.

The Affordable Care Act envisages mandatory health insurance for all Americans to commence from January 1, 2014. The Act has already come into effect with the  enrollments under the Health Insurance Exchange  commencing from 1st October 2013.

For Details visit here. 

More information here 

Obama care Facts

The Act itself is a revolutionary legislation which aims at providing health care security to every American. It envisages that obtaining health insurance coverage is mandatory and for those who cannot afford, there would be a certain subsidization.

“The law is expected to eliminate pre-existing conditions, stop insurance companies from dropping cover when a person is sick, protect against gender discrimination, expand free preventative services and health benefits, expand Medicaid and CHIP, improve Medicare, mandate larger employers insure employees, create a marketplace for subsidized insurance providing tens of millions individuals, families and small businesses with free or low-cost health insurance, and decrease healthcare spending and the deficit.”

The Republican party is opposed to the law since it is felt that the Democrats steam rolled its passage ignoring the opposition when it was passed in 2010. The economic feasibility of the proposal is also under debate. (Similar to the Food Security Bill controversy in India).

A legal challenge led by the law’s Republican opponents ended in June 2012 when the Supreme Court validated the law’s keystone provision – a requirement that Americans not receiving health coverage from their employers or the government purchase individual plans or pay a fine.

Now the Republic party which has a majority in the House of Representatives has put its foot down on the passage of the budget and the result is the shut down of all non essential Government activity. Employees of non essential Government services are now on  “Leave without Pay” disrupting the economic activities of different kinds. It is also feared that by October 17, there will be a need for another endorsement from the House of Representatives on raising the Government borrowing limits and if it does not occur there could be defaults on US treasury bonds and a global repercussion in terms of increased interest rates etc. If the crisis is not defused by then, the consequences could be disastrous even for Stock markets in India.

Since many of the provisions of the Act have already commenced from October 1, 2013, Obama and the Republicans have reached a stage where neither can retract without losing face. It is a serious political crisis which is likely to determine the results of the next Presidential elections and hence neither party is willing to give in.

In India we have faced many similar challenges in the Parliament where the finance bill has been under the mercy of the opposition parties. However, opposition parties have always avoided the crisis by letting the finance bill pass even though they are opposed to the Government policies in general which indirectly increase Government spending in the budget. Whether it is the Food Security Bill or the Corruption, the ultimate burden is on the people with increased tax burdens but the opposition has never expressed the resolve to shoot down a Finance bill which can force the Government to resign. But in US it appears that neither the President is weak to retract nor the opposition meek to let things pass.

The outcome of the crisis is uncertain. Optimists hope that the crisis would be resolved within a short time of a day or two in which case the crisis may pass off. If it persists beyond October 17, we may be in for a major economic crisis that may hit even India.

The silver line for India is that once the Obama Care provisions get implemented, there would be a huge business potential for Indian IT Companies and BPOs and the prospects of the IT industry will get a boost just like the Y2k issue.

P.S: It was interesting to observe the reactions of the American people on the street when they were asked by CNN if they liked Obama Care or Affordable Care Act. Almost all said that they supported Affordable Care Act and opposed Obama Care without realizing that both were the same. This shows not only how much the average American is ignorant as much as the effect of naming  social welfare activitities in the name of political leaders. We in India are used to many many Rajiv Gandhi schemes and such schemes will be opposed by people just for the reason of the name. There is a lesson for politicians in India in this.

Naavi

Share Button
Print Friendly

HIPAA-US$1.2 m damage for not sanitizing photocopier hard disk

A HITECH Act violation by a health plan in New York resulted in a potential data breach of 344,579 individuals has resulted in the HHS imposition of penalty of Rs $1,215,780 as a settlement.

The breach occurred when the Plan which had leased several photocopiers and used it during its operations decided to return the photocopiers to the lessors. The hard disks that are attached to the photocopier were not sanitized before being returned which resulted in an impermissible disclosure of PHI.

OCR had taken up an investigation of this breach which had been reported in April 2010 after a media disclosure. The settlement has also suggested a corrective action as follows.

 (1) conduct a comprehensive risk analysis of the Plan’s privacy and security risks and vulnerabilities and

(2) use best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the Plan that remain in the possession of the leasing agent and safeguard all electronic PHI contained therein.

Related Article 

The report of CBS News filed in April 2010 had indicated  that the agency purchased 4 used photocopiers from a warehouse in New Jersy and extracted thousands of documents from the hard disks which contained sensitive information from various agencies including the NY Police department and the previously referred Affinity Health Plan.

The incident highlights the need for all companies handling sensitive personal information realize that the Photocopying machines of current days carry a hard disk which copies every document that is photocopied in the machine and hence needs to be sanitized before the photocopier is discarded. If they fail to do the damages can be crippling.

Naavi

Share Button
Print Friendly

Indian Company causes HIPAA breach

An Indian contractor of a medical transcription company (M2ComSys) is said to have caused a breach of  PHI belonging to 32000 patients of US based Cogent healthcare leading to data breach notification by the US company.

It is stated that the data was stored on Internet without adequate security and landed up in Google search.

Related Report

The incident underscores the need for Indian companies to get themselves HIPAA-HITECH compliant as business associates if they have not done so far.

Naavi

Share Button
Print Friendly

Data Breach Report within 60 minutes

Reporting of Data Breach incidents has been one of the most contentious aspects of the HITECH Act provisions. The initial provisions on the data breach notifications were kept in abeyance for nearly 2 years predictably because the industry did not want to expose its failures to the public. Hence the mandatory disclosures to be made on the website of the Company, on the website of the regulator, and the news papers were all resented. However, the US regulators have been firm on the data breach notification norm.

In the recently proposed rule on health insurance exchange released in US it is stated that the data breach should be reported to the HHS within one hour of its identification and this has raised lot of eye brows on the feasibility of such reporting. (Report)

This proposed rule sets forth financial integrity and oversight standards with respect to Affordable Insurance Exchanges; Qualified Health Plan (QHP) issuers in Federally facilitated Exchanges (FFEs); and States with regard to the operation of risk adjustment and reinsurance programs. Comments from the public have been invited until July 19, 2013.

Data Breach Reporting is an essential part of information security management at the industry level but the concerns of the industry need to be understood in the proper perspective. Quick reporting of data breach has its advantages at the industry level since similar breaches in other organizations can some times be prevented by timely action by the regulator. For this purpose the “One Hour Rule” must be considered as good.

However it is necessary to understand that the dissemination of a “Potential/Suspected Breach information” needs to be kept within the regulator until the exact nature and extent of the breach is ascertained. The regulator may initiate corrective action if necessary but without the disclosure of the victim. Once the regulator confirms on his own through preliminary examination of evidence that the “Potential/Suspected Breach” as a “Real Breach”, then the formal disclosure measures may be initiated.

It is therefore necessary for HHS to introduce a simple “Potential/Suspected Data Breach Notification Scheme” to implement the One hour rule. It is possible that there may be many false alarms in the process but the industry should be given the confidence that “False Alarms” will be properly identified and killed without a reputation damage being caused to the organization.

Let’s hope that HHS will take this industry demand into consideration and issue the necessary modified guidelines.

Naavi

Share Button
Print Friendly