actors). This standard requires procedures to “verify that a person or entity
seeking access to [e-PHI] is the one claimed.” 65 Because cyber-attacks
frequently involve criminals accessing data using the credentials of an
employee, perhaps even a network administrator, a strict authentication
protocol adds a valuable layer of security. Indeed, security experts believe
the Anthem breach was caused by an employee being “duped by a fraudulent
email—known as a spearphishing attack—into giving up a username and
password for Anthem’s systems.” 66 With respect to the theft of data at rest
on internal servers or hard drives, encryption—another effective
“addressable” measure, discussed below—may be inadequate if cyber
criminals possess the personal authentication information of the
administrators authorized to decrypt stored data. 67 This problem is combatted
with strong authentication safeguards. HHS’ guidance promotes (but does
not require) the use of a “two-factor” authentication process; this includes ( 1)
something a user knows (e.g., username and password) and ( 2) something the
user has (e.g., a private key stored on a smart card). 68 An even more secure
method is “three-factor” authentication, which includes the two elements
above plus something the user is (e.g., a biometric feature like a fingerprint
or retinal scan).
Like the authentication requirement, several of the “addressable”
technology safeguards are also uniquely capable of protecting e-PHI from
cyber-attacks. Within the standard calling for IT systems to allow access
only to persons or software programs that have been granted access, there are
two addressable implementation specifications that companies can adopt.
First, under the “automatic logoff” specification, entities can implement
“electronic procedures that terminate an electronic session after a
predetermined time of inactivity.” 69 Second, under the “encryption and
decryption” specification, entities can implement a “mechanism to encrypt
and decrypt” e-PHI. 70 Encryption is defined by HHS as “the use of an
algorithmic process to transform data into a form in which there is a low
probability of assigning meaning without use of a confidential process or
65. Id. § 164.312(d) (2013).
66. Paresh Dave, Anthem Cyberattack Reminiscent of Other Chinese Hacks, Expert Says,
L. A. TIMES (Feb. 5, 2015), http://www.latimes.com/business/technology/la-fi-tn-anthem-
cybersecurity-20150205-story.html.
67. Ken Westin, Encryption Wouldn’t Have Stopped Anthem’s Data Breach, MIT TECH.
REV. (Feb. 10, 2015), http://www.technologyreview.com/view/535111/encryption-wouldnt-
have-stopped-anthems-data-breach/ (explaining that encryption is ineffective if attackers can
bypass data access security controls using administrator passwords).
68. See generally HIPAA Security Guidance, HHS.GOV,
http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteus
e.pdf (last visited March 4, 2015).
69. 45 C.F.R. § 164.312(a)( 2)( iii) (2013).
70. Id. § 164.312(a)( 2)(iv) (2013).