Hackers gained unauthorized access to Anthem’s information technology system and exposed the PHI of more than 80 million people who are currently or were previously covered by the insurance provider.
Kate Borten, CISSP, CISM, founder of The Marblehead Group in Marblehead, Massachusetts, notes that the breach appears to be related to multiple security vulnerabilities. Successful spear phishing attacks permitted unauthorized access and network protocols were likely outdated, says Borten.
Much can be learned by simply looking at the way Anthem reacted to the breach and began its breach notification process.
“They had a plan, they reacted quickly, they were on top of it,” says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon. “That’s something that I can’t say for many healthcare organizations.”
Having an incident response plan in place proves valuable regardless of the size of an organization or a breach, he says. This must be regularly tested and retested to ensure employees are aware of the plan and how the plan works so updates can be made, if necessary.
Although it is important to have an incident response plan in place, the Anthem breach highlights the fact that organizations need more to ensure PHI is secure, says Mac McMillan, FHIMSS, CISSM, co-founder and chief executive officer of CynergisTek, Inc., in Austin, Texas.
“Healthcare organizations have to invest in technology and services that enhance their detection capabilities,” McMillan says. “The bottom line we need to spend more attention on making it harder for hackers to exploit our enterprises and exfiltrate data.”
Stay tuned for the April issue of Briefings on HIPAA  for more reactions to the breach.