Did BCBST get off easy? Well, they certainly did a good job of damage control. But in today’s environment, I doubt anyone could follow suit. BCBST very likely benefitted from HHS/OCR not being in position to immediately enforce the Breach Rule given that the HITECH Act itself has only just been enacted a few months prior to the breach. Now, some 2½ years later, they’ve had a chance to implement a stronger IT security program, including the encryption of its PHI data-at-rest, a step we at Redspin strongly advocate. Also, no cases of ID theft or fraud have come to light as a result of their breach.
At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach.