Back when they were new on the scene, HIPAA’s privacy and security rules didn’t get much respect. Beginning with the privacy rule’s introduction in 2003, the Office of Civil Rights received thousands of complaints and investigated thousands of infractions each year, but took little or no corrective action. In fact, the OCR didn’t issue a single fine for a HIPAA privacy or security rule violation between 2003 and 2008.
It’s easy to understand how HIPAA got a reputation as a toothless mandate, but things have changed over the last ten years. If anyone needed a reminder of the fact, the OCR delivered one this week with its $16 million fine for the Anthem data breach. The penalty is nearly triple the previous record for a HIPAA fine, and sends a clear message that organizations can expect to pay a heavy toll for neglecting their data protection obligations.
The Anthem fine goes back to a massive breach in late 2014 and early 2015, when unknown attackers (probably working on behalf of a foreign government) stole personal information on more than 79 million people. The OCR penalty certainly isn’t the only cost Anthem has incurred—they’ve already paid at least $115 million to settle lawsuits from people affected by the breach. The company also spent more than $100 million on security enhancements, plus millions more on post-breach communications and consulting.
It’s been nearly four years since the Anthem breach began. Over the intervening years, cyber attacks have continued to grow more sophisticated, more widespread, and harder to predict. Organizations that fail to respond to those threats today will be the ones paying multi-million-dollar penalties tomorrow.
And what is the appropriate response? It begins with acknowledging that breaches are inevitable, no matter how much you spend on perimeter protection. Anthem unwittingly proved this point last year, when it disclosed another data breach, this time caused by a malicious insider who had been sending files filled with sensitive information to a personal email account.
Data-centric security—a strategy that focuses on protecting data itself, rather than networks or devices—is the key to keeping sensitive information safe from theft or misuse. Data-centric measures like persistent encryption travel with data no matter where it’s saved or shared, making it impossible for thieves to access or exploit the files they’ve stolen. When implemented properly, this technology allows organizations to revoke access to encrypted files at any time, even after the files have traveled outside the company network.
Find out how PK Encryption can help with HIPAA compliance. Request a free demo now.