Security audit of Premera identified issues prior to cyber-attack
Physician Practice Insider, April 7, 2015
Premera Blue Cross, based in Mountlake Terrace, Washington, announced March 17 that it was the victim of a cyber-attack that exposed the PHI of more than 11 million subscribers, according to lexology.com. Premera discovered January 29 that hackers gained access to its IT systems May 5, 2014, according to govinfosecurity.com. A notice on the Premera website states that the following information may have been accessed:
- Names
- Addresses
- Email addresses
- Telephone numbers
- Dates of birth
- Social Security numbers
- Member identification numbers
- Medical claims numbers
- Some bank account information
The Office of the Inspector General (OIG) conducted a security systems audit of Premera in January and February 2014, just months prior to the attack. In an audit report dated November 28, 2014, the OIG stated that Premera implemented an incident response plan and network security program.
However, the OIG noted a number of security concerns. Although a patch management policy was in place, scans performed during the audit revealed that patches were not implemented in a timely manner. In addition, methodologies were not in place to ensure that unsupported or out-of-date software was not used and a vulnerability scan identified insecure server configurations.
At the time of the audit, Premera also lacked documentation of formal baseline configurations detailing its approved server operating settings. The insurer also failed to perform a complete disaster recovery test for all of its systems. The OIG also identified weaknesses in Premera’s claims application controls.
This article originally appeared on the HIPAA Update blog.
Related Products
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- The consequences of an incomplete medical record
- Nursing responsibilities for managing pain
- Practice the six rights of medication administration
- Complications from immobility by body system
- Q&A: Primary, principal, and secondary diagnoses
- OB services: Coding inside and outside of the package
- Skills of effective case managers
- Prevent dehydration with nursing interventions
- E-mailed
-
- Correctly bill ancillary bedside procedures in addition to the room rate
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Watch for different codes for SI joint injections
- Q/A: Coding infusions to correct low potassium levels
- Q&A: Utilization Review Committee Membership
- Q&A: Bill blood administration the same way for inpatient and outpatient accounts
- OB services: Coding inside and outside of the package
- Know the medical gas cylinder storage requirements
- Intravenous therapy guidelines
- ICD-10-CM coma, stroke codes require more specific documentation
- Searched