Physician Practice

Security audit of Premera identified issues prior to cyber-attack

Physician Practice Insider, April 7, 2015

Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyber-attack that exposed the PHI of more than 11 million subscribers, according to lexology.com. Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:

  • Names
  • Addresses
  • Email addresses
  • Telephone numbers
  • Dates of birth
  • Social Security numbers
  • Member identification numbers
  • Medical claims numbers
  • Some bank account information

The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.

However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.

At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.

This article originally appeared on the HIPAA Update blog.
 

Most Popular