more-arw search

Q&A Forum

Security Breach Anthem Health Systems

With the recent security breach at Anthem Health systems, what precautions as employers can we take to protect our employee's sensitive data?

Answers

Topic Expert
Regis Quirin
Title: Director of Finance
Company: Gibney Anthony & Flaherty LLP
LinkedIn Profile
(Director of Finance, Gibney Anthony & Flaherty LLP) |

This topic needs to be addressed from multiple levels –

CIO – Ensure the systems of the organizations are aligned and contain the proper encryption. Information that enters the organization through external partners is scanned to ensure it is without malware and viruses.

COO – Ensure the proper policies and procedures are established. Conduct training and validate the policies are followed. People are a large reason for breeches. We make mistakes. Make sure a Segregation of Duty analysis is conducted annually. Block access of company information only to those that need access.

CFO – Establish a thorough Business Continuity Plan, i.e. what to do if a data breach occurs.

But if you choose to do nothing, there can be penalties – "Further, a company engages in unfair acts or practices if its data security practices cause or are likely to cause substantial injury to clients that is neither reasonably avoidable by clients nor outweighed by countervailing benefits to clients or to competition. The Commission has settled more than 20 cases alleging that a company’s failure to reasonably safeguard consumer data was an unfair practice.” (Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches before the Committee on Commerce, Science and Transportation, Washington DC March 26, 2014)

Christine Speedy
Title: Global Business Development
Company: CenPOS
(Global Business Development, CenPOS) |

I agree with Regis. Plus, if you follow new PCI Compliance 3.0 for accepting credit cards, and adopt many of those practices for employee records, it's a safe bet you'll harden security. One of the new components is 'monitoring'. So not only are there checklists, but someone has to sign off on them on a scheduled basis. There has to be accountability to someone who's verifying the steps are done.

Here's some examples that parallel PCI you can do right now:
Do you have an audit trail of who accessed employee records, when, and from where? Is that access limited by job role? Are strong passwords enforced and required to change every 30 days?
Microsoft issued critical security alerts this month largely for internet explorer. Are all computers and laptops are updated?

Topic Expert
Wayne Spivak
Title: President & CFO
Company: SBAConsulting.com
LinkedIn Profile
(President & CFO, SBAConsulting.com) |

Here's a side issue to the breach - when did Anthem Health know (and I'll be generous and peg this at >90% assiduity that they were hacked) and how long did it take for them to inform their clients/customers.

I'd wager it wasn't quick enough on any level.

1615 views
Topics

Get Free Membership

By signing up, you will receive emails from Proformative regarding Proformative programs, events, community news and activity. You can withdraw your consent at any time. Contact Us.

Business Exchange

Browse the Business Exchange to find information, resources and peer reviews to help you select the right solution for your business.

Learn more

Contribute to Community

If you’re interested in learning more about contributing to your Proformative community, we have many ways for you to get involved. Please email content@proformative.com to learn more about becoming a speaker or contributing to the blogs/Q&A Forum.