We covered a story last week about a cyber attack on the Washington-based health insurer Premera in which millions of customer records were disclosed. The company claims that one of its employees had unknowingly downloaded malware which automatically created a Virtual Private Network (VPN). Once the VPN was established, hackers were able to access millions of customer names, phone numbers, addresses, social security numbers, credit and debit cards, and even health records.
Before the attack occurred, however, Premera was audited by the Office of Personal Management. Being that Premera is one of the largest health insurance providers in the U.S., it must abide by the Health Insurance Portability and Accountability Act (HIPAA). This includes the implementation of safeguards to protect its customers' information from being accessed or disclosed from unauthorized individuals.
After performing an investigation of Premera, auditors published a report titled “AUDIT OF INFORMATION SYSTEMS GENERAL AND APPLICATION CONTROLS AT PREMERA BLUE CROSS.”
The 25-page report found Premera employees failed to keep critical security patches up to date; thus, placing their computer systems at risk for attacks. Furthermore, administrators didn't have a standardized configuration setting for their system.
“Premera has documented patch management policies and procedures. However, the results of the vulnerability scans indicate that critical patches, service packs, and hot fixes are not always implemented in a timely manner. Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached,” wrote auditors in the report.
Other violations discovered by auditors include the lack of a second authentication factor for data centers, and no video camera surveillance covering entry points.
Under the HIPAA Security Rule, covered entities such as Premera must implement meaningful and appropriate measures to protect their customers' information. Installing firewalls, using encryption technology on files, properly destroying/wiping old hard drives, and updating system software to the latest versions are just a few of the many ways covered entities can achieve this.
Even with the violations cited in the report, Premera was declared HIPAA complaint. Of course, the health insurer later made the shocking announcement that millions of customer files had been disclosed, raising concerns regarding whether or not Premera should have been declared HIPAA-compliant in the first place. In any case, this case should serve as a wake-up call for covered entities everywhere to follow HIPAA's protocol.