Anthem Attack could have been avoided from hack

80 million consumers are at risk because Anthem did not fully protect their personal data.  Anthem was just the latest in a long list of companies hacked by cyber criminals. Full encryption of data during export and while being stored would have severely limited the HIPAA-protected information hackers could access.

Anthem spokeswoman Kristin Binns told the Associated Press, “The hacker had a system administrator's ID and password, which would have made encryption a moot point."  She went on to add that the company normally encrypts data that is exported.

Both statements raise many questions.  First, encryption done properly is never a "moot" point.  It is vital to encrypt all data that contains sensitive personal health information. In 2015, when encryption is so easy and inexpensive to provide, there should never be a question of whether a company will encrypt data.  Organizations that are still on the fence need to lock their systems down now!

Second, Anthem does encrypt exported data.  But what about when the data is being stored?  Companies often only provide minimum protection that only conveys, "move on, nothing to see here" – hoping the hackers will simply pass them by.   

This security plan is like giving a hacker a key to a gigantic shopping mall. The key allows the hacker to gain access into every single store, bypassing their additional locks and alarm systems.  The hacker can basically rob the entire mall blind while everyone is sleeping.

A September 2014 Forrester research report stated that just over half of healthcare employees (59 percent) use full-disk encryption or file-level encryption on computing devices at work.  With such slow adoption of these security practices by the healthcare industry, federal officials are now reviewing whether HIPAA laws should include encryption requirements.

MEDIPROCITY encrypts all data, at all times -- in transit, and at rest and on all mobile devices. If our customers suffer a cyber security breach they can say that all of their data was fully protected rather than explain to regulators, lawyers and the public that they “thought” they were secure.

So the question is, what does your organization do when it comes to securing communication in the office and on mobile devices?  Is your company next in line to be hacked?  What will you say to your customers when their social security numbers, financial records and personal information are used to hijack their lives?

Protect your company and your customers. 


OCR Audit Letter example of a possible audit review

For years we here at Mediprocity have been discussing the risks of not encrypting your patient health information in light of the new Final HIPAA Omnibus Rule (2013).  Overall, we have found that most potential customers are concerned and aware of the regulations, but that certainly doesn't mean the majority are in a big hurry to secure themselves.  There are those organizations however who take it very seriously and have fully encrypted their data, put policies in place and performed their annual risk analysis.  More often than not though, many are still on the fence, especially when it comes to secure text messaging.

In light of the recent Anthem attack, many legislators are discussing making encryption mandatory and not voluntary.  This would be an ideal choice as standards to protect are much more cost-effective than if an actual breach occured.  Not only the fines but the cost to defend your organization as well as the costs of your business reputation are so high this should be a no brainer in 2015.  Borrowing from the old California milk campaign that worked so well for 21 years, healthcare needs to call the firm and begin a new one... "Got Encryption?!"

If you are still trying to decide what is best for your organization, or taking time to find the security firm that has 100% of the bells and whistles you are want, then the question must be asked... "what would you do if you received a letter from the OCR?"

OCR "Office of Civil Rights" who oversees HIPAA sends an audit letter to your organization.  Your organization is less than 10 employees and you received this letter because either a covered entity or business associate you do business with had a breach.  Now you are being investigated.

You have 20 days to respond to the following items which include:

1) A full written response to the allegations

2) All documentation associated with the allegations

3) Records showing your most recent risk assessment

4) During your assessment did you discover a breach

5) Copies of your policies and procedures for PHI safeguarding

6) Risk analysis per 45 C.F.R 164.308(a)(1)(ii)

7) Evidence of your systems (access, activity, security levels)

8) Evidence of network scans and penetration tests

9) Copy of policy 45 C.F.R 164.308(a)(4)

10) Copy of your training materials and evidence they are put into daily practice

11) Evidence of malicious software protection

12) Backup procedures and evidence of these

13) Evidence of technial access controls

14) Evidence of network security

15) Details of network security

Then you must add the full name and title of the individual(s) responsible for all requests.  YOU HAVE 20 DAYS of receipt of this letter.

If you are the type of organization that is still working to put together your policy, and you have nothing in place around mobile devices except "we tell our staff not to use", how do you think that will go over in your response?  How do you think it will go over if you can't answer most of these questions?

Now, let's reverse that to where you can send them your full risk analysis, network security information in detail and you have your email and mobile devices fully encrypted. 

Sign up today and see just how easy it is to protect your organization using Mediprocity!  In fact, Mediprocity goes further than just HIPAA protection - we can help change the way you communicate healthcare information!


Check our partners for more protection services:

Keystone IT -- network management and analysis

Working Security -- penetration tests and system tests

HIPAAtrek -- great resource for getting your documents in order for HIPAA

LuxSci -- full email encryption that is integrated with Mediprocity


Source: Detailed OCR Letter


Mediprocity Helps in protection of patient health data

With more and more headlines regarding patient healthcare information breaches as well as security attacks, people are slowly starting to realize that putting secure text messaging in place is not only smart, but necessary.
It is an amazing phenomenon that users who have smartphones, and there are more of them each day that are upgrading, simply use it for texting.  They may not email or want to leave voicemails, but they will text.
Why?  It is simple and fast to use. Period.
If you take a look at different industries, they all have security issues and workflow problems.  Healthcare especially because they must adhere to the HIPAA Omnibus rule and HITECH act.  Billions are lost each year with inefficient workflows in place.  The question is can technology improve workflows?
We know technology can most definitely improve security, so if we can also show how much it can improve workflow chances are it will save organizations money.
How many times a day is a healthcare professional trying to track down a physician in order to get clarification or approval around an order?  If physicians sat in cubicles all day this would not be an issue, but any physician knows that they are moving from home, office, hospital and clinic throughout the day and night.  They keep up to date using their smartphones.  Almost 90% of physicians use their smartphones to text!
When looking for a secure text messaging company it should have more than simple encrypted content.  It needs to have proper retention of records, administrative privileges in place, read receipt and a whole lot more.
A secure messaging system should easily integrate into EHR technologies as well as other important technology. Mediprocity does all of this and more and all at a low monthly price!
We have reinvented the wheel when it comes to secure messaging, the issue is everyone is far too busy to stop and realize this will help and not hurt their communication.


Send Us An Email
DO NOT add any patient health information here. We will follow up with you to discuss any PHI or security credentials. DO NOT share any PHI or any credentials in this help desk ticket. Thank you!

Send Us An Email