Security audit of Premera identified issues prior to cyberattack
HIM-HIPAA Insider, March 30, 2015
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyberattack that exposed the PHI of more than 11 million subscribers, according to lexology.com.
Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that hackers may have accessed the following information:
- Names
- Addresses
- Email addresses
- Telephone numbers
- Dates of birth
- Social Security numbers
- Member identification numbers
- Medical claims numbers
- Some bank account information
The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.
However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that Premera did not implement patches in a timely manner. In addition, Premera had no way to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.
At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.
This article originally appeared on HCPro’s HIPAA Update blog. Stay up to date on all things HIPAA by signing up for e-mail updates from this blog.
Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!
Related Products
Most Popular
- Articles
-
- Math can be tricky: TJC corrects ABHR storage requirement
- Air control equals infection control
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Residency coordinators’ responsibilities
- The consequences of an incomplete medical record
- Five ways to safeguard your patients' valuables
- OB services: Coding inside and outside of the package
- Practice the six rights of medication administration
- Study: Shorter shifts reduces residents’ attentional failures
- E-mailed
-
- OSHA HazCom updates include labeling, SDS requirements
- Air control equals infection control
- Plan of Care Supports Documentation of Homebound Status
- Patient classification systems to coordinate patient care
- Nursing's growing role
- Note similarities and differences between HCPCS, CPT® codes
- Note from the instructor: CMS clarifies billing guidelines on proper billing for drugs in a single-dose or single-use vial, including billing for discarded drugs
- Fracture coding in ICD-10-CM requires greater specificity
- Follow these tips to properly report bladder catheter codes
- Five ways to safeguard your patients' valuables
- Searched