www.scmagazine.com
Open in
urlscan Pro
2606:4700:20::ac43:44ea
Public Scan
URL:
https://www.scmagazine.com/analysis/breach/health-insurance-exchange-didnt-report-44-data-breaches-but-were-hit-with-no-man...
Submission: On April 14 via api from IN — Scanned from DE
Submission: On April 14 via api from IN — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Log inRegister Topics Industry Events Podcasts Research Recognition Leadership COOKIES This website uses cookies to improve your experience, provide social media features and deliver advertising offers that are relevant to you. If you continue without changing your settings, you consent to our use of cookies in accordance with our privacy policy. You may disable cookies. Accept cookies ADVERTISEMENT Incident response, Strategy, Breach, Risk management AddThis Sharing Buttons Share to FacebookFacebookShare to TwitterTwitterShare to EmailEmailShare to LinkedInLinkedIn HEALTH INSURANCE EXCHANGE DIDN’T REPORT 44 DATA BREACHES, BUT WERE HIT WITH NO SECURITY MANDATES Jessica DavisApril 11, 2022 Connecticut's health information exchange had 44 breaches in the last three and a half years, but failed to report them to the appropriate regulators. It begs the question: where's the accountability? (Photo credit: "USNS Comfort (T-AH 20) Performs Surgery" by NavyMedicine is marked with CC PDM 1.0.) The health insurance exchange for Connecticut, Access Health, faced a whopping 44 data breaches over the course of three and a half years. But while the audit report detailing these compromises names a host of security and compliance shortcomings, the state auditor merely made recommendations to the HIE to remediate the issues without requiring changes. The failure to enact sharper enforcement begs the question: where’s the accountability? As Lee Barrett, executive director of the Electronic Health Network Accreditation Commission (EHNAC) puts it, “The bigger issue here is that there’s no accountability.” “Without any level of accountability, then everyone’s free to do whatever they want, and that’s what they’re doing,” said Barrett. ADVERTISEMENT The state auditor was required by the Connecticut General Statutes to audit the HIE for fiscal years ended June 30, 2018 and 2019. The findings are thorough and clear, identifying shortcomings with internal controls and noncompliance with laws, regulations, and policies. The “significant findings” detailed in the report show a need to improve privacy and security practices and procedures “that warrant the attention of management.” Specifically, Access Health failed to report 44 breaches of patients’ personally identifiable information to the state comptroller and Auditors of Public Accounts. A single contractor caused all but 10 of those breaches, but the HIE did not “take sufficient actions to ensure the confidentiality, integrity, and security of client data,” after making that determination. The audit also found the HIE’s procurement policy is “extremely broad,” lacking specific criteria to make determinations for awarding sole source contracts. And on multiple occasions, Access Health failed to comply with purchasing policies, such as “receiving services prior to the approval of four purchase orders for $946,346.” The HIE also failed to promptly submit annual and quarterly reports to the governor, Auditors of Public Accounts, and legislative Office of Fiscal Analysis as required by state law. The state auditor conducted a thorough examination of Access Health, including written policies and procedures, financial records, minutes of meetings, interviews with various personnel, and testing selected transactions, all in accordance with government auditing standards. In response to these findings, the state auditor made four thorough recommendations of how to improve the program and reduce non-compliance. Notably, two of those recommendations were made during the prior audit of the program, meaning those problems are longstanding and unresolved. Further, the audit does not require those changes or provide a timeline for when these elements should be implemented, despite the previous recommendations being unfulfilled. The recommendations also don’t include enforcement actions or monetary penalties, much like audits provided by the Office of the Inspector General and Government Accountability Office. WHERE’S THE REGULATORY TEETH? Given the major compliance issues – and the one problematic vendor behind the majority of breaches -- the lack of disciplinary action is shocking, said Barrett. It’s a staunch comparison when considering the number of state government audits of several healthcare entities following reported data breaches, which resulted in, at a minimum, requirements for security programs to be implemented within specific timeframes. And in multiple settlements between the New Jersey Attorney General and healthcare entities found in violation of state laws, the penalties include stiff monetary fines. For example, the $495,000 settlement between the state and the Diamond Institute for Infertility and Menopause over failures in its cybersecurity practices found after a healthcare data breach reported in 2017. For Barrett, upon examining the Access Health audit report, it’s hard to believe that the state “would allow all of these breaches to have occurred and not have had some type of oversight to assure that any of these breaches are in fact, reviewed, determined where the the remediation, or the gaps are that need to take place.” Particularly as one of these breaches affected 1,110 clients, Barrett noted. Under The Health Insurance Portability and Accountability Act, healthcare data breaches impacting more than 500 patients are supposed to be reported to the Office for Civil Rights. “If that’s the case, where's the compliance side, as far as oversight for any of these breaches? There should be some entity or the government, at least in Connecticut, that should provide that level of oversight, whether it's the attorney general's office, or in many cases, at the federal level,” said Barrett. “I was just shocked when I read this,” he added. The other concerning element for Barrett is the lack of third-party certification to demonstrate to stakeholders that the HIE is leveraging the appropriate policies, procedures, and rigorous controls. Without “having any of that, it's kind of the wild, wild west: Allowing entities and these breaches to go, in essence, unreported, which is unbelievable to me, A, and B, not requiring any type of third-party review to minimize risk, because there are no controls here,” he added. The response to these breaches should have absolutely had a requirement or statute in place where the organizations must go through a third-party review to demonstrate they have the necessary policies, procedures, and controls in place. Barrett stressed this type of measure will, at the very least, minimize the risk. In short, there must be an oversight entity, whether the state attorney general’s office or another that could be authorized to provide the appropriate oversight if and when a breach occurs, he explained. The authority could also ensure the incidents are reported to the appropriate regulatory bodies, as well as, act as support from an accountability or reportability perspective, if a remediation action is needed, which Barrett stressed is the only way to ensure the entity is held accountable and that the needed “remediation takes place so it doesn’t happen again.” “There has to be some type of penalty, either monetary or basically saying ‘you can't continue to do business, unless you give us a remediation plan within X period of time... And you need to be reporting to us on some type of ongoing basis on how you are addressing this particular issue that was identified,” said Barrett. “There has to be that level of accountability, otherwise, it's ‘whatever, however you want to do business, it's okay,’” he continued. “I believe organizations at the state level should be requiring any entity… handling PII or PHI to go through third-party certification or accreditation, it raises the bar.” Although this particular instance does not appear to demonstrate those types of requirements or enforcement actions, OCR’s latest round of enforcement, in tandem with states strengthening their privacy laws, it’s clearly important to consider these challenges and mitigation needs. Jessica Davis RELATED Asset Management CISA’S SHIELDS UP: WHAT IT IS, HOW TO USE IT Bill BrennerApril 12, 2022 Incident response INCIDENT RESPONSE: WHERE ZERO TRUST FITS IN Bob ViolinoApril 12, 2022 While ZTNA helps organizations enhance control over their security infrastructures, it poses some challenges security teams must prepare for. Incident response IMPLICATIONS OF FEDS’ DISRUPTION OF CYCLOPS BLINK EXAMINED SC StaffApril 11, 2022 The US Justice Department was able to disrupt the Russian state-sponsored Sandworm hacking operation's Cyclops Blink botnet as a result of a search warrant that enabled the FBI to remotely access computers without owner permission under an amendment to Rule 41 in 2016. RELATED EVENTS * Cybercast DO THESE 5 THINGS TO CATCH MORE BAD GUYS On-Demand Event * eSummit XDR TO THE RESCUE? HOW TO IMPROVE DETECTION AND RESPONSE Tue Apr 26 - Wed Apr 27 * eSummit THREAT HUNTING & OFFENSIVE SECURITY: STAYING PROACTIVE, PRODUCTIVE AND PROTECTED On-Demand Event ADVERTISEMENT ADVERTISEMENT -------------------------------------------------------------------------------- ABOUT US SC MediaCyberRisk AllianceContact UsCareersPrivacy GET INVOLVED SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us EXPLORE Product reviewsResearchWhite papersWebcastsPodcasts Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization. Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.