www.scmagazine.com Open in urlscan Pro
2606:4700:20::ac43:44ea  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Log inRegister
Topics
Industry
Events
Podcasts
Research
Recognition
Leadership


COOKIES

This website uses cookies to improve your experience, provide social media
features and deliver advertising offers that are relevant to you.

If you continue without changing your settings, you consent to our use of
cookies in accordance with our privacy policy. You may disable cookies.

Accept cookies

ADVERTISEMENT



Incident response, Strategy, Breach, Risk management
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to EmailEmailShare to
LinkedInLinkedIn


HEALTH INSURANCE EXCHANGE DIDN’T REPORT 44 DATA BREACHES, BUT WERE HIT WITH NO
SECURITY MANDATES

Jessica DavisApril 11, 2022
Connecticut's health information exchange had 44 breaches in the last three and
a half years, but failed to report them to the appropriate regulators. It begs
the question: where's the accountability? (Photo credit: "USNS Comfort (T-AH 20)
Performs Surgery" by NavyMedicine is marked with CC PDM 1.0.)

The health insurance exchange for Connecticut, Access Health, faced a whopping
44 data breaches over the course of three and a half years. But while the audit
report detailing these compromises names a host of security and compliance
shortcomings, the state auditor merely made recommendations to the HIE to
remediate the issues without requiring changes.

The failure to enact sharper enforcement begs the question: where’s the
accountability? As Lee Barrett, executive director of the Electronic Health
Network Accreditation Commission (EHNAC) puts it, “The bigger issue here is that
there’s no accountability.”

“Without any level of accountability, then everyone’s free to do whatever they
want, and that’s what they’re doing,” said Barrett.

ADVERTISEMENT



The state auditor was required by the Connecticut General Statutes to audit the
HIE for fiscal years ended June 30, 2018 and 2019. The findings are thorough and
clear, identifying shortcomings with internal controls and noncompliance with
laws, regulations, and policies. 

The “significant findings” detailed in the report show a need to improve privacy
and security practices and procedures “that warrant the attention of
management.”

Specifically, Access Health failed to report 44 breaches of patients’ personally
identifiable information to the state comptroller and Auditors of Public
Accounts. A single contractor caused all but 10 of those breaches, but the HIE
did not “take sufficient actions to ensure the confidentiality, integrity, and
security of client data,” after making that determination.

The audit also found the HIE’s procurement policy is “extremely broad,” lacking
specific criteria to make determinations for awarding sole source contracts. And
on multiple occasions, Access Health failed to comply with purchasing policies,
such as “receiving services prior to the approval of four purchase orders for
$946,346.” 

The HIE also failed to promptly submit annual and quarterly reports to the
governor, Auditors of Public Accounts, and legislative Office of Fiscal Analysis
as required by state law.

The state auditor conducted a thorough examination of Access Health, including
written policies and procedures, financial records, minutes of meetings,
interviews with various personnel, and testing selected transactions, all in
accordance with government auditing standards.

In response to these findings, the state auditor made four thorough
recommendations of how to improve the program and reduce non-compliance.
Notably, two of those recommendations were made during the prior audit of the
program, meaning those problems are longstanding and unresolved.

Further, the audit does not require those changes or provide a timeline for when
these elements should be implemented, despite the previous recommendations being
unfulfilled. The recommendations also don’t include enforcement actions or
monetary penalties, much like audits provided by the Office of the Inspector
General and Government Accountability Office.


WHERE’S THE REGULATORY TEETH?

Given the major compliance issues – and the one problematic vendor behind the
majority of breaches -- the lack of disciplinary action is shocking, said
Barrett. 

It’s a staunch comparison when considering the number of state government audits
of several healthcare entities following reported data breaches, which resulted
in, at a minimum, requirements for security programs to be implemented within
specific timeframes.

And in multiple settlements between the New Jersey Attorney General and
healthcare entities found in violation of state laws, the penalties include
stiff monetary fines. For example, the $495,000 settlement between the state and
the Diamond Institute for Infertility and Menopause over failures in its
cybersecurity practices found after a healthcare data breach reported in 2017.

For Barrett, upon examining the Access Health audit report, it’s hard to believe
that the state “would allow all of these breaches to have occurred and not have
had some type of oversight to assure that any of these breaches are in fact,
reviewed, determined where the the remediation, or the gaps are that need to
take place.”

Particularly as one of these breaches affected 1,110 clients, Barrett noted.
Under The Health Insurance Portability and Accountability Act, healthcare data
breaches impacting more than 500 patients are supposed to be reported to the
Office for Civil Rights.

“If that’s the case, where's the compliance side, as far as oversight for any of
these breaches? There should be some entity or the government, at least in
Connecticut, that should provide that level of oversight, whether it's the
attorney general's office, or in many cases, at the federal level,” said
Barrett.

“I was just shocked when I read this,” he added.

The other concerning element for Barrett is the lack of third-party
certification to demonstrate to stakeholders that the HIE is leveraging the
appropriate policies, procedures, and rigorous controls.

Without “having any of that, it's kind of the wild, wild west: Allowing entities
and these breaches to go, in essence, unreported, which is unbelievable to me,
A, and B, not requiring any type of third-party review to minimize risk, because
there are no controls here,” he added.

The response to these breaches should have absolutely had a requirement or
statute in place where the organizations must go through a third-party review to
demonstrate they have the necessary policies, procedures, and controls in place.
Barrett stressed this type of measure will, at the very least, minimize the
risk.

In short, there must be an oversight entity, whether the state attorney
general’s office or another that could be authorized to provide the appropriate
oversight if and when a breach occurs, he explained.

The authority could also ensure the incidents are reported to the appropriate
regulatory bodies, as well as, act as support from an accountability or
reportability perspective, if a remediation action is needed, which Barrett
stressed is the only way to ensure the entity is held accountable and that the
needed “remediation takes place so it doesn’t happen again.”

“There has to be some type of penalty, either monetary or basically saying ‘you
can't continue to do business, unless you give us a remediation plan within X
period of time... And you need to be reporting to us on some type of ongoing
basis on how you are addressing this particular issue that was identified,” said
Barrett.

“There has to be that level of accountability, otherwise, it's ‘whatever,
however you want to do business, it's okay,’” he continued. “I believe
organizations at the state level should be requiring any entity… handling PII or
PHI to go through third-party certification or accreditation, it raises the
bar.”

Although this particular instance does not appear to demonstrate those types of
requirements or enforcement actions, OCR’s latest round of enforcement, in
tandem with states strengthening their privacy laws, it’s clearly important to
consider these challenges and mitigation needs.


Jessica Davis


RELATED

Asset Management

CISA’S SHIELDS UP: WHAT IT IS, HOW TO USE IT

Bill BrennerApril 12, 2022

Incident response

INCIDENT RESPONSE: WHERE ZERO TRUST FITS IN

Bob ViolinoApril 12, 2022

While ZTNA helps organizations enhance control over their security
infrastructures, it poses some challenges security teams must prepare for.


Incident response

IMPLICATIONS OF FEDS’ DISRUPTION OF CYCLOPS BLINK EXAMINED

SC StaffApril 11, 2022

The US Justice Department was able to disrupt the Russian state-sponsored
Sandworm hacking operation's Cyclops Blink botnet as a result of a search
warrant that enabled the FBI to remotely access computers without owner
permission under an amendment to Rule 41 in 2016.


RELATED EVENTS

 * Cybercast
   
   DO THESE 5 THINGS TO CATCH MORE BAD GUYS
   
   
   
   On-Demand Event
   
   

 * eSummit
   
   XDR TO THE RESCUE? HOW TO IMPROVE DETECTION AND RESPONSE
   
   
   
   Tue Apr 26 - Wed Apr 27
   
   

 * eSummit
   
   THREAT HUNTING & OFFENSIVE SECURITY: STAYING PROACTIVE, PRODUCTIVE AND
   PROTECTED
   
   
   
   On-Demand Event
   
   

ADVERTISEMENT



ADVERTISEMENT





--------------------------------------------------------------------------------

ABOUT US

SC MediaCyberRisk AllianceContact UsCareersPrivacy

GET INVOLVED

SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us

EXPLORE

Product reviewsResearchWhite papersWebcastsPodcasts

Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may
not be published, broadcast, rewritten or redistributed in any form without
prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy
Policy and Terms & Conditions.