In the Wake of Significant Security Breaches, Expert Urges Proactive Approach to Identifying Compromised PHI in AIS Newsletter

Share Article

A former chief technology officer for WebMD offers advice to health care organizations on how to identify data breaches early, in the April issue of Atlantic Information Services’s Report on Patient Privacy.

In the wake of massive data breaches at Premera Blue Cross and Anthem Inc., the imperative is on HIPAA covered entities (CEs) to figure out posthaste whether their protected health information (PHI) is already compromised, advises John Gomez, founder and CEO of the cybersecurity firm Sensato, Inc., and former chief technology officer of Allscripts Healthcare Solutions and WebMD, in the April issue of Atlantic Information Services, Inc.’s (AIS) Report on Patient Privacy. The breaches have affected more than 90 million individuals.

The two attacks share certain hallmarks, one of which is that the perpetrators entered the systems and lay in wait for a year or more before extracting any data, RPP reported. Attackers may breach the systems in more than one way, including through phishing, which involves tricking unsuspecting users into entering their credentials into a mirror website run by the hackers, which was the case in both the Anthem and Premera attacks. Recognizing the “patient” nature of the attackers, it is possible CEs are already compromised and just don’t know it yet, says Gomez.

All breaches provide an opportunity for soul-searching and “lessons learned” for HIPAA CEs and their business associates (BAs) to help them prevent their organizations from suffering a similar fate. The first thing that CEs and BAs should be doing is penetration testing and other activities, and Gomez emphasizes that the “human element” in compliance should not be overlooked. He points out that the Anthem attack was discovered by a system administrator who realized someone was already logged in as him. There are technological fixes that can prevent, or at least track, such double-logins, he says. Penetration testing and vulnerability testing should be done, Gomez says, to see where there may be holes.

Another essential, Gomez tells RPP, is “establishing a level of security and service quality” within the CEs’ and BAs’ vendors and subcontractors, and institute steps that ensure security, even at the risk of upsetting users.

HIPAA officers also need to convince their board of directors to approve the dollars when funds are needed for IT investments, he says, putting aside any fears of being the bearer of bad news.

Visit to read the article in its entirety.

About Report on Patient Privacy
Report on Patient Privacy is the health industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security. Published for hospitals and other providers, health plans and other HIPAA-covered entities and business associates, the 12-page newsletter focuses on privacy issues that can result in huge fines, penalties and public relations nightmares, including: security breach notification; business associate relations and agreements; and new federal privacy rules for marketing, fundraising, privacy notices, minimum necessary, patient rights and safeguarding privacy in EHRs. Visit for more information.

About Atlantic Information Services
Atlantic Information Services, Inc. (AIS) is a publishing and information company that has been serving the health care industry for more than 25 years. It develops highly targeted news, data and strategic information for managers in hospitals, health plans, medical group practices, pharmaceutical companies and other health care organizations. AIS products include print and electronic newsletters, websites, looseleafs, books, strategic reports, databases, webinars and conferences. Learn more at

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jill Brown, Executive Editor
Atlantic Information Services
+1 (202) 775-9008 Ext: 3058
Email >
since: 01/2011
Follow >
since: 01/2011
Like >
Atlantic Information Services, Inc.

Visit website