Research Paper Example: BlueCross BlueShield Incidents 2014-2015

Healthcare organizations are a source of vast assets in terms of personally identifiable information from a large population. As such, healthcare organizations have become the latest victims of hackers and cybercriminals who mean to access this information. Furthermore, unlike financial and retail institutions, healthcare organizations have inefficiencies in handling the data they possess in that the lack the processes, resources, and technologies required to safeguard the information, prevent and effectively detect cyber-attacks. In the recent past, there have been several cyber attacks involving various healthcare organizations, attacks that have resulted in hackers gaining access to vast amounts of personal information. One such case in the cyber attack of Excellus BlueShield BlueCross health insurer.

In August of 2015, Excellus BlueShield BlueCross, a health insurer in New York, discovered a data breach in their systems that potentially compromised the personal information of 10.5 million clients. Although the breach was discovered in August, it was later determined that the attacks happened nineteen months earlier. There are ethical issues that can be contributed to the data breach in Excellus. Most healthcare institutions, including Excellus, make use of legacy systems. Legacy systems are ineffective in protecting data as they do not mind data to be sensitive, and data is not properly encrypted within the database (Ashford, 2016). It is the responsibility of healthcare organization to ensure the safety of their clients personal information, and as such certain measures should be implemented in the systems to prevent and quickly detect intrusion in the system. However, by making use of inadequate systems, Excellus could not detect and prevent intrusion thus was vulnerable to cyber attacks.

Another factor that led to the breach at Excellus the legal compliance issue of inadequate risk assessment processes and procedures. According to a report by KPMG, a renowned auditor firm in the United States, they stated that after their audit of the companys systems, the risk assessment procedures and policies were inefficient in identifying the vulnerabilities and risks to the integrity, confidentiality, and availability of electronic protected health information (O'Neill, 2017). As such, although such policies and procedures were present in the organization, they failed to prevent the breach. The inadequacy of the policies and procedures constituted negligence on the part of Excellus in protecting personal information which opened up the organization to lawsuits from various clients.

The cyber attack on Excellus due to negligence in protecting personal data led to certain cultural and societal impact. After the discovery of the breach, Excellus stated that clients personal information had not been removed or utilized inappropriately despite the fact that the cybercriminals had gained unauthorized access to the information for over a year before the intrusion was detected. Consequently, due to the long period and the high level of access that the hackers had, there is no clear way to determine whether or not any information was removed and the amount of information that the hackers may have acquired. As such, medical information of Excelluss clients can be disclosed, additionally, such information cannot be made private again. In the recent past, there has been revelations that data from the Excellus database has been used in cases of identity theft, credit fraud and false tax filings (O'Neill, 2017), despite the fact that Excellus denies that any information was retrieved from their database claiming that such information could have been obtained from other sources.

Although there were no major regulatory changes after the Excellus cyberattack, the company took certain actions to ensure their clients safety. For instance, Excellus offered its clients two years of free monitoring services (Ashford, 2016). The data breaches of the various health insurers were also a wakeup call to other organizations to carry out periodic audits of their systems to make sure that there are no vulnerabilities. Furthermore, in light of the hefty penalties and lawsuits against Excellus due to its violation of HIPAA privacy and security laws, organizations in the healthcare industry are amending their technology practices and policies so that they are in line with the HIPAA security rule guidelines for safeguarding electronic protected health information (Linda, 2016).

With the increase in online transactions and electronically stored records, security and privacy of such information is a major priority. Thus, organizations standards for information technology have to be in line with the industry standards. According to HIPAA regulations, there are specific requirements that healthcare organizations need to adhere to in order to safeguard electronic protected health data. One of the measures to be implemented to ensure compliance is maintaining high levels of data security. However, as stated earlier, Excellus risk assessment procedures and policies were inefficient in identifying the vulnerabilities and risks to the integrity, confidentiality, and availability of electronic protected health information which violated HIPAAs privacy rule which mandates healthcare organizations to safeguard personally identifiable health data such as electronic protected health information. Furthermore, due to the use of legacy systems. Excellus also violated HIPAAs security rule that requires all HIPAA covered entities to implement certain security measures that ensure the safety of electronic protected health information (Linda, 2016).

The Excellus data breach had a significant cultural impact on how people view the use of information technology. For instance, clients of Excellus were no longer confident that the organization could adequately protect their personal data. This lack of confidence led to the loss of a significant number of clients by the organizations. Furthermore, present clients are paranoid at the fact that another breach could occur in the future which could lead to loss of even more sensate data. However, as pointed out by Menelly, an assistant professor of software engineering at Rochester Institute of Technology, the average person should not live in fear as such mistakes by the health insurer are easily fixable to ensure that such an incident does not happen again (Adams, 2015).

References

Adams, B. (2015, September 10). Expert: "I See A Failure of Our Workforce to Grasp the Needs of IT Security". Retrieved from WXXI News: http://wxxinews.org/post/expert-i-see-failure-our-workforce-grasp-needs-it-security

Ashford, W. (2016, September 10). US health insurer Excellus BlueCross BlueShield hit by data breach. Retrieved from Computer Weekly: http://www.computerweekly.com/news/4500253229/US-health-insurer-Excellus-BlueCross-BlueShield-hit-by-data-breach

Linda, B. (2016). An Analysis of the Relationship between Security Information Technology Enhancements and Computer Security Breaches. Nova Southeastern University.

O'Neill, P. H. (2017, March 2). Health insurer Excellus is latest to argue that hacked data could've come from anywhere. Retrieved from Cyberscoop: https://www.cyberscoop.com/health-insurer-excellus-latest-argue-hacked-data-couldve-come-anywhere/