[BreachExchange] Health insurance exchange didn’t report 44 data breaches, but were hit with no security mandates

[Matthew Wheeler]

https://www.scmagazine.com/analysis/breach/health-insurance-exchange-didnt-report-44-data-breaches-but-were-hit-with-no-mandate-to-improve-security

The health insurance exchange for Connecticut, Access Health, faced a
whopping 44 data breaches over the course of three and a half years. But
while the audit report detailing these compromises names a host of security
and compliance shortcomings, the state auditor merely made recommendations
to the HIE to remediate the issues without requiring changes.

The failure to enact sharper enforcement begs the question: where’s the
accountability? As Lee Barrett, executive director of the Electronic Health
Network Accreditation Commission (EHNAC) puts it, “The bigger issue here is
that there’s no accountability.”

“Without any level of accountability, then everyone’s free to do whatever
they want, and that’s what they’re doing,” said Barrett.

The state auditor was required by the Connecticut General Statutes to audit
the HIE for fiscal years ended June 30, 2018 and 2019. The findings are
thorough and clear, identifying shortcomings with internal controls and
noncompliance with laws, regulations, and policies.

The “significant findings” detailed in the report show a need to improve
privacy and security practices and procedures “that warrant the attention
of management.”

Specifically, Access Health failed to report 44 breaches of patients’
personally identifiable information to the state comptroller and Auditors
of Public Accounts. A single contractor caused all but 10 of those
breaches, but the HIE did not “take sufficient actions to ensure the
confidentiality, integrity, and security of client data,” after making that
determination.

The audit also found the HIE’s procurement policy is “extremely broad,”
lacking specific criteria to make determinations for awarding sole source
contracts. And on multiple occasions, Access Health failed to comply with
purchasing policies, such as “receiving services prior to the approval of
four purchase orders for $946,346.”

The HIE also failed to promptly submit annual and quarterly reports to the
governor, Auditors of Public Accounts, and legislative Office of Fiscal
Analysis as required by state law.

The state auditor conducted a thorough examination of Access Health,
including written policies and procedures, financial records, minutes of
meetings, interviews with various personnel, and testing selected
transactions, all in accordance with government auditing standards.

In response to these findings, the state auditor made four thorough
recommendations of how to improve the program and reduce non-compliance.
Notably, two of those recommendations were made during the prior audit of
the program, meaning those problems are longstanding and unresolved.

Further, the audit does not require those changes or provide a timeline for
when these elements should be implemented, despite the previous
recommendations being unfulfilled. The recommendations also don’t include
enforcement actions or monetary penalties, much like audits provided by the
Office of the Inspector General and Government Accountability Office.

Where’s the regulatory teeth?

Given the major compliance issues – and the one problematic vendor behind
the majority of breaches -- the lack of disciplinary action is shocking,
said Barrett.

It’s a staunch comparison when considering the number of state government
audits of several healthcare entities following reported data breaches,
which resulted in, at a minimum, requirements for security programs to be
implemented within specific timeframes.

And in multiple settlements between the New Jersey Attorney General and
healthcare entities found in violation of state laws, the penalties include
stiff monetary fines. For example, the $495,000 settlement between the
state and the Diamond Institute for Infertility and Menopause over failures
in its cybersecurity practices found after a healthcare data breach
reported in 2017.

For Barrett, upon examining the Access Health audit report, it’s hard to
believe that the state “would allow all of these breaches to have occurred
and not have had some type of oversight to assure that any of these
breaches are in fact, reviewed, determined where the the remediation, or
the gaps are that need to take place.”

Particularly as one of these breaches affected 1,110 clients, Barrett
noted. Under The Health Insurance Portability and Accountability Act,
healthcare data breaches impacting more than 500 patients are supposed to
be reported to the Office for Civil Rights.

“If that’s the case, where's the compliance side, as far as oversight for
any of these breaches? There should be some entity or the government, at
least in Connecticut, that should provide that level of oversight, whether
it's the attorney general's office, or in many cases, at the federal
level,” said Barrett.

“I was just shocked when I read this,” he added.

The other concerning element for Barrett is the lack of third-party
certification to demonstrate to stakeholders that the HIE is leveraging the
appropriate policies, procedures, and rigorous controls.

Without “having any of that, it's kind of the wild, wild west: Allowing
entities and these breaches to go, in essence, unreported, which is
unbelievable to me, A, and B, not requiring any type of third-party review
to minimize risk, because there are no controls here,” he added.

The response to these breaches should have absolutely had a requirement or
statute in place where the organizations must go through a third-party
review to demonstrate they have the necessary policies, procedures, and
controls in place. Barrett stressed this type of measure will, at the very
least, minimize the risk.

In short, there must be an oversight entity, whether the state attorney
general’s office or another that could be authorized to provide the
appropriate oversight if and when a breach occurs, he explained.

The authority could also ensure the incidents are reported to the
appropriate regulatory bodies, as well as, act as support from an
accountability or reportability perspective, if a remediation action is
needed, which Barrett stressed is the only way to ensure the entity is held
accountable and that the needed “remediation takes place so it doesn’t
happen again.”

“There has to be some type of penalty, either monetary or basically saying
‘you can't continue to do business, unless you give us a remediation plan
within X period of time... And you need to be reporting to us on some type
of ongoing basis on how you are addressing this particular issue that was
identified,” said Barrett.

“There has to be that level of accountability, otherwise, it's ‘whatever,
however you want to do business, it's okay,’” he continued. “I believe
organizations at the state level should be requiring any entity… handling
PII or PHI to go through third-party certification or accreditation, it
raises the bar.”

Although this particular instance does not appear to demonstrate those
types of requirements or enforcement actions, OCR’s latest round of
enforcement, in tandem with states strengthening their privacy laws, it’s
clearly important to consider these challenges and mitigation needs.

Jessica Davis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220412/daf03163/attachment.html>