John Shegerian, Co-Founder and Executive Chairman of ERI, the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States, has called the recent record HIPAA settlement by Anthem a “dire warning for the entire healthcare industry” regarding how seriously cyber threats must be taken.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino in a recent report.
“The situation Anthem found itself in is deeply regrettable, but avoidable,” said Shegerian. “In fact, with the massive increases in cybercrime and hardware hacking, the entire healthcare sector has an uphill battle to fight in terms of protecting its digital data if it is to protect patient privacy and meet all HIPAA regulatory standards.”
In 2015, Anthem filed a breach report with the HHS OCR detailing that cyber thieves had gained access to its IT system “via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.” After filing a breach report with OCR, Anthem discovered the attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary; at least one employee responded to the malicious email and opened the door to further attacks, OCR reported.
Shegerian warns that cyberspace is only one avenue of exposure and that hardware may be an even more sensitive target.
“Cyber crime in the healthcare sector is rampant, and hardware hacking in particular, is an area that an alarming number of organizations are simply not prepared to confront,” added Shegerian. “Even if ‘wiped of data’ in the traditional sense, computers, cell phones, tablets and other devices used in medical scenarios, at the end of their life cycles pose a massive risk. Because the technology that organizations use may contain components that store sensitive information, health-related organizations must take this problem very seriously to avoid exposure and potential HIPAA regulation violations. Unfortunately, hackers have become more sophisticated, leading to an urgent need for responsible and fully integrated ePHI and PHI services.”