Analysis: Did Anthem's Security 'Certification' Have Value?Insurer Was Certified as HITRUST CSF Compliant Before Its Mega-Breach
Health insurer Anthem announced in September 2013 that it had been certified as compliant with the HITRUST Common Security Framework. Then it revealed in February 2015 that it had fallen victim to a breach that exposed data on nearly 79 million individuals. And in a report released last week, federal regulators said the cyberattackers likely began their intrusions in February 2014, about five months after the insurer achieved HITRUST certification.
Now that the insurer has agreed to a record $16 million HIPAA settlement with federal regulators, who spelled out in detail the company's security shortcomings - including the lack of a risk assessment - it's worth scrutinizing the value of adopting a security framework.
"I'm not aware of any hacker that has been thwarted by an organization that had a set of well-written policies."
—Tom Walsh, tw-Security
While many security experts say compliance with frameworks, such as HITRUST's and others, has value in helping to demonstrate an organization's security maturity, they caution that such compliance is no assurance of immunity from a breach, much less verification that an organization has taken all the right security precautions.
"The HITRUST certification is about a framework for compliance. Compliance is evidence driven: Policies, procedures, plans, forms, etc." says Tom Walsh, founder of consultancy tw-Security.
"I'm not aware of any hacker that has been thwarted by an organization that had a set of well-written policies. Compliance and risk management are not the same thing. An organization can be in compliance or meet a framework and still be at risk for a breach. Compliance and frameworks help organizations reduce their risks, but they cannot eliminate all of the threats."
Security consultant Mark Johnson, a shareholder at LBMC Information Security and a former healthcare CISO, notes: "The HITRUST CSF Certification is not a guarantee, and no audit can provide absolute assurance.
"It says your cyber program has attained a certain level of maturity. It doesn't say that you are impervious to attacks. A certification says your processes have reached a certain level of maturity, but no cybersecurity program is without improvement possibilities."
Certifications, Johnson argues, "are just one of many things to consider when understanding our risk related to protected data we share with third parties."
On Sept. 30, 2013, Anthem - then still known as Wellpoint - issued a press release celebrating its achievement of reaching CSF certified status from HITRUST, which at the time was still known as the Health Information Trust Alliance.
"WellPoint is the largest health benefits company to achieve HITRUST CSF Certified status under 2013 assurance criteria," the statement said.
"The CSF Certified status under new 2013 assurance criteria assures WellPoint's members, clients, and business partners that the company is meeting the highest standards within the healthcare industry for managing security risks and protecting health information. CSF assurance criteria is reviewed annually and modified based on changing regulations and loss data analysis," according to the statement.
The Cost of Certification
In general, it's not easy or cheap for organizations to achieve CSF certification. HITRUST's fees to become certified are typically based on an organization's revenue. Then there are fees for third-party firms working with the organizations seeking certification. Some prices listed on websites of CSF assessors range from $40,000 to $60,000, and the costs can go up from there.
Organizations seeking CSF certification generally need to be assessed by third party "CSF assessors" - organizations that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance Program and the HITRUST CSF, a comprehensive security framework that incorporates the existing security requirements of healthcare organizations, HITRUST notes on its site.
"The HITRUST CSF Assurance Program includes the risk management oversight and assessment methodology governed by HITRUST and designed for the unique regulatory and business needs of various industries," HITRUST says on its website.
Anthem's resolution agreement with the Department of Health and Human Services announced last week notes that HHS' Office for Civil Rights' investigation into the mega-breach asserted that Anthem failed to implement some basic good security practices.
"This breach illustrates how hard cybersecurity is in our modern world."
—Mark Johnson, LBMC Information Security
For instance, OCR said the health plan failed to conduct an enterprisewide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014. That's about five months after Anthem announced its HITRUST CSF certification.
"OCR's investigation also revealed that between Dec. 2, 2014, and Jan. 27, 2015, the cyberattackers stole the ePHI of almost 79 million individuals, including names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information," OCR notes in its resolution agreement.
Anthem declined to comment to Information Security Media Group on its HITRUST CSF certification. It also declined to comment on an account shared with ISMG by someone "with deep knowledge" of a meeting that took place in 2013 or 2014 between HITRUST leaders, former Wellpoint CISO Roy Mellinger - who at the time was a HITRUST board member - and several OCR officials.
During the meeting in Washington, D.C., HITRUST leaders proposed to have OCR agree to deem the use of the HITRUST CSF by covered entities and business associates as evidence of being compliant with the HIPAA Security Rule, including in situations where OCR might be investigating a health data breach or other security incident, according to the source.
Ultimately, OCR rejected that HITRUST proposal, in part because HITRUST is a private entity, and also because OCR was supportive of the National Institute of Standards and Technology's cybersecurity framework, the source tells ISMG.
Without commenting specifically on HITRUST, an OCR spokeswoman tells ISMG: "OCR has meetings with many outside groups and stakeholders in order to stay informed on issues within the regulated community and develop future rulemaking and guidance."
Although OCR does not endorse credentialing or accreditation programs, some entities may find such programs useful in assessing their compliance with the HIPAA rules, she notes. "However, the use of these programs does not guarantee compliance with HIPAA, and entities using these products or services may still be subject to enforcement by OCR."
By its own description on its website, HITRUST says its CSF represents a mix of standards, including those from NIST.
CSF leverages "nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations."
On a frequently asked questions section on the HITRUST website, one question posted asks, "If I'm HITRUST CSF Certified, does that mean I'm HIPAA compliant?"
HITRUST's response on its website says, "In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards - a.k.a. information security controls - to provide for the adequate protection of electronic protected health information against all reasonably anticipated threats. In practice, organizations that want to demonstrate HIPAA compliance must generally show that it has addressed each standard and implementation specification in the Security Rule, including risk analysis. Organizations must therefore design or select multiple information security controls to provide the level of prescription necessary for implementation in the system or within the organization."
In reaction to an ISMG inquiry about the alleged meeting between HITRUST leaders and OCR to lobby the agency to deem CSF certification as evidence of compliance with the HIPAA Security Rule, Carl Anderson, HITRUST chief legal officer and senior vice president of government affairs says: "Since it was founded in 2007, HITRUST frequently meets with industry groups, Congressional leaders and government agencies, including the HHS OCR, to share insights and educate on the design of the HITRUST CSF and CSF Assurance programs and how adoption and implementation addresses information risks and compliance, including with the HIPAA privacy and security rules."
Anderson also tells ISMG: "The HITRUST CSF and CSF Assurance programs have been used successfully to demonstrate compliance with the HIPAA privacy and security rules by organizations as part of OCR investigations."
Mellinger - who is now CISO at Sabre Corp. - did not immediately respond to ISMG's request for comment on the meeting he allegedly attended between HITRUST and OCR.
As for Anthem's (Wellpoint's) HITRUST CSF certification prior to the company's massive cyberattack, Anderson contends: "In its 2015 breach, Anthem did not have a control failure within the scope of its HITRUST CSF Certification. A HITRUST CSF Certification is issued based on a defined scope, which can include a single system or multiple systems and associated infrastructure and processes that are documented in the certification report."
He also points out, however, that "it should be noted ... that no information security controls framework is capable of eliminating breaches entirely given the pace of emerging threats and sophistication of nation-state supported threat actors."
Lots of Leeway
Many security experts stress that even a good implementation of a security framework doesn't necessarily eliminate all risks because so many variables are involved.
"A tool, unfortunately, can only be as good as the people using it," says former healthcare CIO David Finn, an executive vice president at security consultancy CynergisTek.
"Without knowing what was actually done [at Anthem/Wellpoint], I will say that HITRUST is less a risk-based security framework than the NIST CSF, for example. HITRUST is more a collection of standards, regulations and pieces from other frameworks."
Achieving CSF certification "can also be rather expensive, so it has some inherent weaknesses," Finn says. "In some ways, because of the certification goal, there may be some 'assessing to the test' or checking to see that you are 'compliant with the HITRUST model' rather than a risk-based approach to assessing the current situation."
While no security framework is perfect, the NIST CSF "is the most flexible, the most up to date and built on best practice models across the entire range of threat vectors," Finn contends.
"It addresses everything from medical software to biomedical devices to third-party risk and governance of the risk management function. It is also free, so cost is not an issue for even small providers. It is our national standard and is the most broadly used security framework in healthcare," Finn says.
"As our points of connection across sectors continue to expand, the NIST CSF will allow healthcare to more easily assess another groups' cyber readiness. It will allow for more effective sharing of security status and information. And as we become more global, the NIST CSF is being widely adopted by governments beyond the U.S."
Other IT related frameworks, including the Information Technology Infrastructure Library - or ITIL, and Control Objectives for Information and Related Technology - or COBIT, "are a little more focused and tend to look at building metrics to drive improvement and are generally free to members or relatively inexpensive," Finn adds. "They are not 'standards' but do reflect business approaches to security and security risk."
As for Anthem suffering the massive cyberattack despite having achieved HITRUST CSF certification months earlier, Johnson, the consultant with LBMC, says: "I also don't think it implies anything about the HITRUST CSF. Rather, this breach illustrates how hard cybersecurity is in our modern world. While the HITRUST CSF is detailed, how you meet the controls objectives and how they are implemented can produce variations that may introduce risk. You can't produce the perfect framework that if perfectly implemented says, 'OK, we're safe now; nothing can happen to us.'"
Furthermore, Johnson notes that news reports that China is suspected in the attack against Anthem further complicate the challenges faced by the health insurer, regardless of the security framework used.
"I would say it's next to impossible for any company to be 100 percent resistant to that kind of attacker. A national level attacker has the time, resources and capabilities to draw upon to defeat the most robust defenses."