Security Breach Anthem Health Systems

This topic needs to be addressed from multiple levels –

CIO – Ensure the systems of the organizations are aligned and contain the proper encryption. Information that enters the organization through external partners is scanned to ensure it is without malware and viruses.

COO – Ensure the proper policies and procedures are established. Conduct training and validate the policies are followed. People are a large reason for breeches. We make mistakes. Make sure a Segregation of Duty analysis is conducted annually. Block access of company information only to those that need access.

CFO – Establish a thorough Business Continuity Plan, i.e. what to do if a data breach occurs.

But if you choose to do nothing, there can be penalties – "Further, a company engages in unfair acts or practices if its data security practices cause or are likely to cause substantial injury to clients that is neither reasonably avoidable by clients nor outweighed by countervailing benefits to clients or to competition. The Commission has settled more than 20 cases alleging that a company’s failure to reasonably safeguard consumer data was an unfair practice.” (Prepared Statement of the Federal Trade Commission on Protecting Personal Consumer Information from Cyber Attacks and Data Breaches before the Committee on Commerce, Science and Transportation, Washington DC March 26, 2014)

I agree with Regis. Plus, if you follow new PCI Compliance 3.0 for accepting credit cards, and adopt many of those practices for employee records, it's a safe bet you'll harden security. One of the new components is 'monitoring'. So not only are there checklists, but someone has to sign off on them on a scheduled basis. There has to be accountability to someone who's verifying the steps are done.

Here's some examples that parallel PCI you can do right now:
Do you have an audit trail of who accessed employee records, when, and from where? Is that access limited by job role? Are strong passwords enforced and required to change every 30 days?
Microsoft issued critical security alerts this month largely for internet explorer. Are all computers and laptops are updated?