Premera breach: Are HIPAA standards too low?

Here’s an interesting twist regarding the Premera data breach revealed last week: the company has been deemed compliant with the Health Insurance Portability and Accountability Act (HIPAA) in late November 2014.

The general testing of its information systems and an application control audit has been performed in January 2014 by the US Office of Personnel Management, an independent governmental agency that manages the civil service of the federal government, because Premera is a healthcare provider for government staff.

The audit found some problems:

  • The company lacked some physical security controls to prevent access to its data center
  • They had a patch management policy, but some patches were not being implemented fast enough
  • They had no methodology for preventing the utilization of unsupported or out-of-date software
  • A vulnerability scan found insecure server configurations
  • They had no documented baseline system software configurations, which prevented an effective audit of its security configuration settings
  • They did not perform a complete disaster recovery test for all information systems.

Despite all this, “Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations,” the report stated.

Now, some of these issues have been fixed since the preliminary report in April 2014, and there is currently no evidence that the attackers took advantage of any of them to breach the company in May 2014, as a company spokesperson commented.

But, as Iain Thomson has pointed out, this could turn out to be the proof that HIPAA standards are simply too low to provide security in the current threat landscape. Either that, or we’ll ultimately find out that the attackers did exploit one of the holes listed above.