- HIPAA Update - http://blogs.hcpro.com/hipaa -

Security audit of Premera identified issues prior to cyberattack

security (2) [1]Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com [2].

Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com [3]. A notice on the Premera website [4] states that the following information may have been accessed:

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report [5] dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.

However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.

At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.