Anthem Breach Learnings: HITRUST Certification Is Not A Replacement for An Enterprise Security Risk Analysis

The recent $16 million HIPAA settlement with Anthem, Inc. in the wake of the 2015 breach of nearly 79 million records, has been well publicized. In this case, the Office for Civil Rights (OCR) found that Anthem failed to take several basic security steps, including conducting a sufficient enterprise wide security risk assessment.

A recent article titled Did Anthem’s Security ‘Certification’ Have Value? by Marianne McGee, published on, pointed out that Anthem (at that point WellPoint) celebrated its HITRUST Common Security Framework Certification in 2013. McGee questioned the value of the HITRUST Certification, i.e., if HITRUST did not require that Anthem implement, as OCR described “the basics,” of a security risk analysis, how valuable is the HITRUST certification? The HITRUST Alliance quickly responded with a press release stating that the article was “inaccurate” and that the system that was breached was ‘not in scope.’ They further stated that “A HITRUST CSF Certification is issued based on a defined scope, which can include a single system or multiple systems and associated infrastructure and processes that are documented in the Certification Report.”

HITRUST Alliance’s defense could not be more ironic. It highlighted one of the major limitations of its program – it does not require organizations to compete an OCR-Quality Risk Analysis® in order to receive its certificate. As OCR has repeatedly stated in guidance documents and in conferences, ALL information assets that create, maintain, receive, or transmit electronic protected health information must be in scope of a Security Risk Analysis (see my recent blog post on this topic).

Too often, we have seen healthcare organizations invest in a HITRUST certification while neglecting to perform a comprehensive, by the book risk analysis. As demonstrated in the Anthem case, a HITRUST Certification may be attractive as a marketing piece, but it may not be sufficient to secure your organization or to fully meet HIPAA compliance requirements.  An enterprise risk analysis, however, when performed in accordance with the OCR’s guidance, will enable you to evaluate cyber risks related to ALL of your information assets, and provide you with a clear roadmap for securing your organization. While the HITRUST Common Security Framework provides a set of controls that can help to improve an organizations’ security posture, it’s not a replacement for, or a priority over, an enterprise risk analysis.

At Clearwater, an OCR-quality, by-the-book, risk analysis is the bedrock of our Enterprise Cyber Risk Management Solution. By enterprise, we mean an information assets-based risk analysis that evaluates all ePHI assets, and the specific threats and vulnerabilities that are applicable to them, based on your organization’s unique profile. Some would say that’s too difficult to do, but the fact is, that with our solution, it is straight forward.

Clearwater’s IRM|Analysis®Cyber Risk Management Software platform facilitates an enterprise risk analysis by enabling you to manage all information assets, their components, and their properties in a scalable SaaS application. IRM|Analysis includes pre-configured workflows and built in algorithms that automatically display the applicable vulnerabilities, and threats, and help you to identify which controls should be in place. The risk analysis is based on the specific attributes and characteristics of your organization and its systems, rather than on a “one-size-fits all approach.” Furthermore, IRM|Analysis implements all nine requirements of a risk analysis as specified in the Guidance on Risk Analysis Requirements under the HIPAA Security Rule and adheres to the NIST Special Publication 800-30 Guide for Conducting Risk Assessments.

It’s notable that in cases where Clearwater has assisted with a risk analysis performed via IRM|Analysis, OCR has accepted the submission 100% of the time. Healthcare organizations throughout the country are adopting IRM|Analysis, because it enables them to conduct a risk analysis faster, more cost effectively, and in full accordance with OCR’s expectations.

Learn more about Clearwater Compliance and the Company’s innovative information risk management solutions for healthcare organizations.

Clearwater Enterprise Cyber Risk Management IRM|Analysis®


Intuitive software for completing a formal, NIST-based, OCR-quality security risk analysis and establishing a continual Risk Management Program of Framing, Assessing, Responding and Monitoring Learn more or request a free demonstration!


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us