By TxMQ Middleware Architect Gary Dischner

No surprise to hear of yet another breach occurring – this time at Premera Blue Cross. The company became aware of a security breach on Jan. 29, 2015, but didn’t begin to notify anyone involved (including the state insurance board) until March 17, which was 6 weeks later. The actual attack took place in May 2014 and may affect 11 million customer records dating back to 2002.

As with many companies that experience a security breach, the excessive delays in first identifying and confirming that a breach has occurred, coupled with the typical delays in assessing and providing notification, subsequently led the state insurance board to fault Premera with untimely notification. A review of the HIPAA regulations for breach reporting indicates that a notification of those impacted absolutely needs to occur within 60 days. Many companies, including Premera, just aren’t equipped with the tools and security-management processes to handle these incidents. For Healthcare companies, HIPAA guidelines state that notification to the state insurance commissioner should be immediate for breaches involving more than 500 individuals. Consequently, Premera is now being sued by the state insurance commissioner.

A company found guilty of late notification should concern the public: There’s at least the appearance of a general lack of concern over both the impact and severity to its customers, partners and constituents. Blue Cross Premera has responded to its own behavior with efforts to protect itself and to cover up details of the incident, rather than be forthright with information so that those impacted can take the needed steps to protect themselves from further exposure and potential consequences, such as fraud and identify theft.

A secondary concern is the lack of security-management measures around protected data at many companies. In this case, the audit recommendations – which had been provided to Premera on Nov. 28, 2014 – found serious infractions in each of the following domains:

  • Security management
  • Access controls
  • Configuration management
  • Segregation of duties
  • Contingency planning
  • Application controls specific to Premera’s claims-processing systems
  • HIPAA compliance

More and more companies are being reminded of the data exposures and related risks, but remain slow to respond with corrective measures. Companies of high integrity will take immediate responsive measures and will openly express concern for the repercussions of the exposure. Companies that do not? They should be dealt with severely. Let this Premera example serve as the Anthem breach for companies that are holding sensitive data. As a customer or business partner, let them know you expect them to take every measure to protect your healthcare and financial information.

And in closing, let’s all take away a few lessons learned. Security assessments must become a regular operational function. Self-audits demonstrate a company’s high integrity and commitment to identifying process improvements for security management. Such efforts should be assessed quarterly with reports to the company board to make sure every vulnerability is remediated and customers who are working with the company are protected. After all, it’s only the company that can secure its own technical environments.

Photo by torbakhopper

Gary Dischner is a certified Enterprise Architect with deep experience across diverse technology areas including application, network, security, infrastructure and devops. He's certified on many IBM product sets including Solution Designer for WODM 6.0, Program Manager for BPM (Lombardi) 7.5, WebSphere MQ Solution Designer 7.0, WebSphere MQ Administration 7.0, Connect Direct Administration, IBM MobileFirst Sales Mastery (mobility certification), IBM Social Business Solution Sales Mastery, Power System with Power 7 Common Sales Skills, Power System with Power 7 Technical Skills and Enterprise Architecture. Gary has served as the lead for many first-of-a-kind solutions including voter modernization for the State of Florida, healthcare-delivery modernization, BMS from discovery to market modernization process, and many first-of-a-kinds at Morgan Stanley for go-to-market projects. He's served as Associate Professor at Canisius College in Buffalo, NY for over 10 years and has also served as an ambassador in representation of IBM at several college forums.

Pin It on Pinterest

Share This