Health insurer Anthem announced in September 2013 that it had been certified as compliant with the HITRUST Common Security Framework. Then it revealed in February 2015 that it had fallen victim to a breach that exposed data on nearly 79 million individuals. And in a report released last week, federal regulators said the cyberattackers likely began their intrusions in February 2014, about five months after the insurer achieved HITRUST certification.
Now that the insurer has agreed to a record $16 million HIPAA settlement with federal regulators, who spelled out in detail the company's security shortcomings - including the lack of a risk assessment - it's worth scrutinizing the value of adopting a security framework.
Read David Finn's comments here.