Anthem Hack: Lessons For IT Leaders - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Anthem Hack: Lessons For IT Leaders
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
jastroff
100%
0%
jastroff,
User Rank: Ninja
2/12/2015 | 4:56:40 PM
Anthem Hack
@joe -- great article - covers all the bases so well.

>> What, then, are feasible solutions for companies to undertake to protect themselves from compromised employees -- employees who may be incentivized to go rogue?

Or employees who may be blackmailed because of the information, no? It seems that this attack was looking for people to exploit politically, etc. 

 

 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Author
2/12/2015 | 10:02:48 PM
Re: Anthem Hack
@jastroff: Not necessarily -- although certainly a distinct possibility that one must keep in mind, particularly when thinking about one's own organization.  Many healthcare companies, of course, are highly desired targets right now for the reasons I mentioned.  It's a lot easier to cancel a credit card than it is to protect your EMRs.
anon6262781453
100%
0%
anon6262781453,
User Rank: Apprentice
2/13/2015 | 7:28:21 AM
McGladrey and Data breach advice
Intresting information, IT departments should give more importance to prevent external threats which can affect IT systems of an organization. Companies should adopt new technology to improve customer experience and take adequate measures to ensure they have a secure and protected system. I work for McGladrey and there is an infograph in our website.  bit.ly/mcgldrydatabreach
SaneIT
100%
0%
SaneIT,
User Rank: Ninja
2/13/2015 | 8:16:55 AM
Re: Anthem Hack
In cases like this if the goal is blackmail then it's usually pointed at the target not the employees, patients, etc.  Blackmailing thousands of people for some smaller pay off isn't worth the effort or risk, since the more communication you have with victims the more likely you are to give up information that will lead to you being caught.  The data theft is usually intended for simpler crimes like credit card fraud on a large scale that can go unnoticed for a period of time under the radar.  Drawing attention to themselves is not in their best interest for hackers breaking into these systems.  
zerox203
100%
0%
zerox203,
User Rank: Ninja
2/14/2015 | 10:47:27 PM
Anthem Hack: Lessons For IT Leaders
This is actually the first time I'm hearing about this. No surprise that it's headlines news, considering who's involved, but it's much appreciated to have a more sober take that covers all the bases rather than the overly sationalized versions that are likely to pop up most places. As the linked article in defense of non-encryption points out, the public doesn't really understand encryption (in fact, even many seasoned IT pros really don't), but it sounds good to say someone dropped the ball by not doing it. I'm the first one to question whether we really need comprehensive security measures on every piece of data at every company - that said, I'll always temper that point by saying something like 'unless you're in a highly sensitive field'. Healthcare is certainly on that list of sensitive fields. 

That said, the smart money knows the IT security is a war of mitigation, not prevention. A breach is going to happen to everyone sometime, no matter how thorough your protection is. How you deal with the fallout, how quick your recovery is, and how you prepare for next time that count. Again, in this regard, Anthem earns some points. It looks like they're already offering customers free support for potential financial issues, and as you point out, they notified the FBI immediately. Still, the full extent of their future plans remains to be seen, and who knows how much of that trust they'll be able to regain. I don't know whether the multitude of recent breaches should be a wakeup call that we need stricter regulations, a wakeup call that these breaches are a fact of life, or both.
Gigi3
100%
0%
Gigi3,
User Rank: Ninja
2/16/2015 | 7:05:15 AM
Re: McGladrey and Data breach advice
"Intresting information, IT departments should give more importance to prevent external threats which can affect IT systems of an organization. Companies should adopt new technology to improve customer experience and take adequate measures to ensure they have a secure and protected system."

Anon, you are right. Data threat and security are a major issues with online, especially with networked devices. how far your system/data is safer is a big question and companies are spending millions of dollars every year to safe guard their information and hack free.
SaneIT
100%
0%
SaneIT,
User Rank: Ninja
2/16/2015 | 8:08:25 AM
Re: Anthem Hack: Lessons For IT Leaders
"I'm the first one to question whether we really need comprehensive security measures on every piece of data at every company"

@zerox203, I think this becomes truer IF, the company is careful about how they are designing systems, how and where the data is stored as well as what is publicly visible.  We've had a mentality of giving as much data as possible to everyone even in very public applications.  I think that in addition to encryption and increased network border protection we're going to start seeing data split into chunks that will avoid catastrophic damage if one part of it is leaked without the others.

 
Sacalpha1
50%
50%
Sacalpha1,
User Rank: Moderator
2/17/2015 | 3:39:48 PM
Anthem Should Be Punished for Breach
Note that my comments are all focused on Anthem consumer data and not employee data.  First, it is ridiculous that Anthem is storing social security numbers of consumers/insured.  HIPAA has required a non SSN based identifier for almost 10 years now and SSN is not required for any other valid insurance business purpose.  Add on top of this that the consumer/insured data was stored in an unencrypted format makes this pure negligence.  Also note these are the same bozos that had their insurance applicant system hacked about 3 years ago.  You'd think they would learn.

Until there is some consequence for companies, they will not change their behavior.  And there is no real consequence for Anthem.  They are in a fairly protected business with minimal customer turnover.  What are people going to do....stop their insurance?  And the complexity of corporate negotiation around benefits adminstration means few companes will take any action to change insurance adminstrators.

I am not a fan of big government, but this is one time I think the government should go after Anthem with both barrels, especially considering this is the second major incident in a relatively short period of time.  Anthem should be forced to pay $10s of millions in fines to the government, punitive monetary damages to every insured, and criminal negligence charges should be filed for storing unneeded SSN data (in violation of HIPPA) in an unencrypted format.

This kind of signifianct penalty is the only thing that will cause companies to change the way they behave.  Most companies like to make you think they care in their marketing and branding but in matter of fact their business processes say they don't care.  It's time for the public to stop accepting this kind of corporate behavior.
yalanand
50%
50%
yalanand,
User Rank: Ninja
2/22/2015 | 2:16:25 PM
Re: Anthem Hack: Lessons For IT Leaders
@zerox203, I think this becomes truer IF, the company is careful about how they are designing systems, how and where the data is stored as well as what is publicly visible.  We've had a mentality of giving as much data as possible to everyone even in very public applications.  I think that in addition to encryption and increased network border protection we're going to start seeing data split into chunks that will avoid catastrophic damage if one part of it is leaked without the others.


That is not so simple. Making new gates means deciding who gets to see/use what and for that we need different sets of keys to be managed. Don't make gates, make better locks instead.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 12:25:43 PM
The difficulties of security
@yalanand: Different kinds of security measures lean of different preferences. You may think making a better lock is easy but it is not, since the same kind of technology is available to the developer and the hacker, and of course there is the problem of whistle blowing in organizations, internal corruption has to be dealt with.
Page 1 / 3   >   >>


State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Commentary
Enterprise Guide to Multi-Cloud Adoption
Cathleen Gagne, Managing Editor, InformationWeek,  9/27/2019
Commentary
5 Ways CIOs Can Better Compete to Recruit Top Tech Talent
Guest Commentary, Guest Commentary,  10/2/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll