Compliance Law Journal

actors). This standard requires procedures to “verify that a person or entity seeking access to [e-PHI] is the one claimed.” 65 Because cyber-attacks frequently involve criminals accessing data using the credentials of an employee, perhaps even a network administrator, a strict authentication protocol adds a valuable layer of security. Indeed, security experts believe the Anthem breach was caused by an employee being “duped by a fraudulent email—known as a spearphishing attack—into giving up a username and password for Anthem’s systems.” 66 With respect to the theft of data at rest on internal servers or hard drives, encryption—another effective “addressable” measure, discussed below—may be inadequate if cyber criminals possess the personal authentication information of the administrators authorized to decrypt stored data. 67 This problem is combatted with strong authentication safeguards. HHS’ guidance promotes (but does not require) the use of a “two-factor” authentication process; this includes ( 1) something a user knows (e.g., username and password) and ( 2) something the user has (e.g., a private key stored on a smart card). 68 An even more secure method is “three-factor” authentication, which includes the two elements above plus something the user is (e.g., a biometric feature like a fingerprint or retinal scan).

Like the authentication requirement, several of the “addressable” technology safeguards are also uniquely capable of protecting e-PHI from cyber-attacks. Within the standard calling for IT systems to allow access only to persons or software programs that have been granted access, there are two addressable implementation specifications that companies can adopt. First, under the “automatic logoff” specification, entities can implement “electronic procedures that terminate an electronic session after a predetermined time of inactivity.” 69 Second, under the “encryption and decryption” specification, entities can implement a “mechanism to encrypt and decrypt” e-PHI. 70 Encryption is defined by HHS as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or

65. Id. § 164.312(d) (2013).

66. Paresh Dave, Anthem Cyberattack Reminiscent of Other Chinese Hacks, Expert Says, L. A. TIMES (Feb. 5, 2015), http://www.latimes.com/business/technology/la-fi-tn-anthem- cybersecurity-20150205-story.html.

67. Ken Westin, Encryption Wouldn’t Have Stopped Anthem’s Data Breach, MIT TECH. REV. (Feb. 10, 2015), http://www.technologyreview.com/view/535111/encryption-wouldnt- have-stopped-anthems-data-breach/ (explaining that encryption is ineffective if attackers can bypass data access security controls using administrator passwords).

68. See generally HIPAA Security Guidance, HHS.GOV, http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteus e.pdf (last visited March 4, 2015).