While attention is focused on the insurer and potential HIPAA violations, according to the U.S Office of Personnel Management, the insurer was deemed to be HIPAA-compliant after an audit of its systems last year.
The U.S Office of Personnel Management conducted general testing of Premera’s information systems in January 2014, in addition to a full application control audit. While the Office for Civil Rights is tasked with auditing healthcare providers on HIPAA compliance, the OPM also conducts audits on entities that provide healthcare services for government staff.
The audit did not find any areas of HIPAA compliance that warranted any action to be taken, although there were a number of observations made by the auditors. The problems identified by the OCM included a lack of physical controls to protect the data held in its data center. Under HIPAA Rules, organizations are required to implement physical controls to protect data, as well as numerous administrative and technical measures to ensure patient privacy is maintained.
The audit also highlighted issues with the insurers patch management policy, which could potentially result in security vulnerabilities developing. The insurer was advised that it must implement software patches more rapidly to prevent external unauthorized third parties from taking advantage of these security vulnerabilities.
The insurer was also found to have no methodology for preventing the utilization of unsupported or out-of-date software, no documented baseline system for software configurations, the latter preventing an effective audit of its security configuration settings from taking place. The auditors also found that no disaster recovery test had been performed, another requirement of HIPAA Rules.
According to the report issued on the audit by the OCM, “Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations,”
The initial report was issued to Premera in April last year, a month before the breach occurred. The insurance provider did implement some measures to fix the above issues, although it is currently not clear if the hackers were able to gain access to its servers via one of the security vulnerabilities identified by the OPM.
What is worrying is that an organization can be found to be compliant with HIPAA in spite of numerous apparent violations, and just a month before the largest healthcare data breach occurred. It has been suggested that government audits are not sufficiently comprehensive and that HIPAA standards are not high enough to protect patient data, especially in the current climate when healthcare providers and insurers are being targeted by cybercriminals for the patient data they hold.