Healthcare and Technology news
45.0K views | +7 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Anthem's Audit Refusal: Mixed Reaction

Anthem's Audit Refusal: Mixed Reaction | Healthcare and Technology news | Scoop.it

Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government auditor's request to perform vulnerability scans of the health insurer's IT systems in the wake of a hacker attack that affected 78.8 million individuals.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem - citing "corporate policy" - refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency.


"Anthem is in a no-win situation on this [most recent] request," says Dan Berger, CEO of security services firm Redspin. "It does appear Anthem has the contractual right to decline the request for an OIG vulnerability scan. But they might want to rethink that. Refusing now looks bad - both to their client OPM and to the public at large."

Security expert Mac McMillan, CEO of the consulting firm CynergisTek, notes: "Usually most companies want to cooperate with the government regulators because, quite frankly, it's in their best interest to do so. Most government contracts provide a provision for the government to conduct an audit if they deem it necessary."

But some other security experts are not surprised that Anthem refused the vulnerability tests.

"In fairness to Anthem, their position may be perfectly well-founded," says Bob Chaput, founder and CEO of Clearwater Compliance. "It's unclear what is precisely meant by vulnerability scans. Ask five people for a definition and receive eight different definitions. External and/or internal technical testing - expanding for the moment to include penetration testing as a way to identify a weakness - can be quite intrusive and disruptive to an organization's operations."

OIG Requests

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, an OIG spokeswoman tells Information Security Media Group. However, under the standard FEHBP contract that OPM has with insurers, insurers are not mandated to cooperate with IT security audits. Sometimes amendments are made to insurers' federal contracts to specifically require the full audits, the spokeswoman says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract.

OIG also notes in a statement: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

A Common Practice?

David Kennedy, founder of security consulting firm TrustedSec, says it's "very common" for corporations to prohibit or limit external parties from performing vulnerability scans. "Most corporations have sanctioned tests that occur from third parties that perform the same type of testing and go even more in depth," he says. "A vulnerability scan is the most basic form of an assessment and wouldn't have prevented the Anthem breach from occurring. Most corporations will provide a summary of the assessment that was performed to provide to third parties to satisfy them for appropriate due diligence."

Although Anthem's recent refusal of the OIG audit requests might now appear to be a public relations blunder for the company, "I can see Anthem's side too, though," says Redspin's Berger. "A vulnerability scan is always going to find vulnerabilities. They may be concerned that any post-breach vulnerability report will be linked back to the recent breach. In reality, such scans are a 'point in time' assessment; it's unlikely that running a scan in the summer of 2015 would determine conclusively whether the recent breach could have been prevented."

In addition, if a security audit is not mandated by a contract, Chaput says it's probably not that unusual for private entities to refuse such requests from government agencies. "It depends on the nature of the relationship of the parties, the structure of that relationship, sensitivity of information involved, etc.," he says. "For example, is OPM a HIPAA covered entity and Anthem a HIPAA business associate in this relationship?"

Time for Change?

Also, the audit hoopla might even signal a need for OPM to overhaul its contractual practices, Chaput argues.

"In fact, it's quite possible that OPM is in violation of the HIPAA Privacy and Security Rule 'organizational requirements,'" he says. "Did OPM update all BA agreements? Do the terms and conditions of whatever agreements exist meet the requirements set forth in these HIPAA Privacy and Security Rule 'organizational requirements' to receive satisfactory assurances that this PHI and other sensitive information would be safeguarded?"

The government should negotiate stronger security protections into their contracts with insurers, Berger suggests. And that could include third-party vulnerability scans, whether conducted by OIG or others.

But McMillan of CynergisTek says Anthem's refusal of OIG's request could potentially provoke even more scrutiny by other government regulators or perhaps even legislative proposals from Congress.

Anthem likely already faces an investigation by the HIPAA enforcement agency, the Department of Health and Human Service's Office for Civil Rights, which investigates health data breaches and has the power to issue settlements that include financial penalties.

"Whether it is appropriate or allowed under [Anthem's] current contract or not - refusing a test right after a breach of this magnitude is enough to make some people say there needs to be greater accountability," McMillan says.

Safeguarding Data

Ironically, Chaput says that by denying the vulnerability tests by OIG, Anthem could be actually taking extra precautions in protecting PHI. "With over-the-top issues of government surveillance of U.S. citizens, Anthem might be thought of as having implemented a reasonable and appropriate administrative control - i.e. their 'corporate policy' to safeguard information with which it has been entrusted," Chaput says. "In the HIPAA Privacy Rule, there are standards and implementation specifications in which PHI, for example, is required to be disclosed to the Secretary of HHS. Since this technical testing could result in a disclosure of PHI, PII or other sensitive information, under what standard is OPM OIG invoking a right of potential disclosure?"

Kennedy adds that when he worked for ATM security vendor Diebold, "we never let anyone scan us. However we would always have reputable third parties perform assessments on us on a regular basis and provide those upon request when an organization wanted to evaluate our security."

more...
No comment yet.
Scoop.it!

Big Data in Healthcare: A Cause for Concern?

Big Data in Healthcare: A Cause for Concern? | Healthcare and Technology news | Scoop.it

A federal advisory panel has kicked off discussions about the privacy and security challenges related to the use of big data in healthcare, with a goal of making policy recommendations in the coming weeks.


During the Jan. 12 meeting of the Health IT Policy Committee's Privacy and Security Workgroup - formerly called the Tiger Team - members began sorting through a number of key big data themes that emerged from two public hearings the group hosted in December. The workgroup and the committee will make recommendations to the Office of the National Coordinator for Health IT, which could ultimately lead to new policies from the Department of Health and Human Services.


Last month's hearings included testimony from a number of stakeholders from various segments of the healthcare sector. For instance, testimony highlighted that while analyzing big data can bring big potential benefits, including better treatment outcomes and lower costs, it also can bring privacy risks to individuals, says workgroup Chair Deven McGraw, an attorney at the law firm Manatt, Phelps & Phillips, LLP.

The workgroup will now help to assess whether the nation has the right policy framework in place "in order to maximize what is good about what health data presents for us, while addressing the concerns that are raised," McGraw says.

Big Data Challenges

Big data concerns that emerged from the hearings in December included whether various "tools" that are commonly used to help protect an individual's health data privacy are sufficient, given the complexities of various big data use cases, McGraw says.

Those "tools" include data de-identification methods; patient consent; transparency to patients and consumers about how their data might be used; various practices related to data collection, use and purpose; and security measures to protect data.

Other concerns arising from the testimony that the workgroup plans to dig into relate to the legal landscape, such as whether there are regulatory gaps in HIPAA and other laws regarding keeping health data used for big data analytics private.

The workgroup, which will continue its discussion on Jan. 26, will also consider the harm that could be caused if big data is not kept private, including discrimination, medical identity theft, and mistrust of the healthcare system.

In early February, however, the workgroup will temporarily shift gears to discuss ONC's 10-year interoperability roadmap, which is expected to be released in late January. The roadmap will focus on secure health data exchange.

Nevertheless, the workgroup hopes to hammer out some preliminary findings or early recommendations about protecting big data so that it can make a presentation at the March 10 meeting of the HIT Policy Committee, McGraw says.


more...
No comment yet.