Anthem Hack: Lessons For IT Leaders - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Anthem Hack: Lessons For IT Leaders
Threaded  |  Newest First  |  Oldest First
jastroff
100%
0%
jastroff,
User Rank: Ninja
2/12/2015 | 4:56:40 PM
Anthem Hack
@joe -- great article - covers all the bases so well.

>> What, then, are feasible solutions for companies to undertake to protect themselves from compromised employees -- employees who may be incentivized to go rogue?

Or employees who may be blackmailed because of the information, no? It seems that this attack was looking for people to exploit politically, etc. 

 

 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Author
2/12/2015 | 10:02:48 PM
Re: Anthem Hack
@jastroff: Not necessarily -- although certainly a distinct possibility that one must keep in mind, particularly when thinking about one's own organization.  Many healthcare companies, of course, are highly desired targets right now for the reasons I mentioned.  It's a lot easier to cancel a credit card than it is to protect your EMRs.
SaneIT
100%
0%
SaneIT,
User Rank: Ninja
2/13/2015 | 8:16:55 AM
Re: Anthem Hack
In cases like this if the goal is blackmail then it's usually pointed at the target not the employees, patients, etc.  Blackmailing thousands of people for some smaller pay off isn't worth the effort or risk, since the more communication you have with victims the more likely you are to give up information that will lead to you being caught.  The data theft is usually intended for simpler crimes like credit card fraud on a large scale that can go unnoticed for a period of time under the radar.  Drawing attention to themselves is not in their best interest for hackers breaking into these systems.  
StaceyE
50%
50%
StaceyE,
User Rank: Ninja
2/27/2015 | 2:12:18 PM
Re: Anthem Hack
Very good point. I think you are absolutely right. The least attention you get, the more apt you are to get away with the crime. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
3/2/2015 | 8:03:37 AM
Re: Anthem Hack
@StaceyE, a lot of professionals miss this point. They assume that they'll never get hacked or if it does happen that they'll notice right away and be able to shut the attack down quickly.  What we're seeing in the past 5 years or so are really slow leaks that go unnoticed for months if not years because thieves are not after a one time win.  They know that small transactions get lost in the noise and they are happy to have many small wins over one gigantic win that gets them shut down quickly.  We're crossing a threshold with cyber security now where we need to get our act together, most of the companies who have lost massive amounts of data have more people guarding their offices from people trying to steal paper and staplers than they have guarding their customer data. 
StaceyE
50%
50%
StaceyE,
User Rank: Ninja
3/24/2015 | 1:16:57 PM
Re: Anthem Hack
@ SaneIT

Very true. Then you have employees that don't follow protocols and put information at even greater risk. (Like someone we all know of that chose to employ her own server and email account while working for the state department...no names mentioned of course....)
anon6262781453
100%
0%
anon6262781453,
User Rank: Apprentice
2/13/2015 | 7:28:21 AM
McGladrey and Data breach advice
Intresting information, IT departments should give more importance to prevent external threats which can affect IT systems of an organization. Companies should adopt new technology to improve customer experience and take adequate measures to ensure they have a secure and protected system. I work for McGladrey and there is an infograph in our website.  bit.ly/mcgldrydatabreach
Gigi3
100%
0%
Gigi3,
User Rank: Ninja
2/16/2015 | 7:05:15 AM
Re: McGladrey and Data breach advice
"Intresting information, IT departments should give more importance to prevent external threats which can affect IT systems of an organization. Companies should adopt new technology to improve customer experience and take adequate measures to ensure they have a secure and protected system."

Anon, you are right. Data threat and security are a major issues with online, especially with networked devices. how far your system/data is safer is a big question and companies are spending millions of dollars every year to safe guard their information and hack free.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 12:29:39 PM
Re: McGladrey and Data breach advice
@gigi3: but is that enough? I know many businesses are moving onto the cloud and the cloud security measures are being undertaken by third parties, is this a very secure method of asking a third party to develop security systems for us when we are exposing entire databases to these parties for them to secure it with their softwares?
Gigi3
100%
0%
Gigi3,
User Rank: Ninja
2/24/2015 | 4:32:14 AM
Re: McGladrey and Data breach advice
"but is that enough? I know many businesses are moving onto the cloud and the cloud security measures are being undertaken by third parties, is this a very secure method of asking a third party to develop security systems for us when we are exposing entire databases to these parties for them to secure it with their softwares?"

SachinEE, I know there are many risks in outsourcing the security part to third part vendors. Sometimes these peoples its self can act as a security threat!! We have similar issues with defense system; where the outsourced agency itself tried to spy the info's for their business stake.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:34:39 PM
Re: McGladrey and Data breach advice
@gigi3: So what is the middle ground? We cannot have other parties trying to spy on the data we have trusted them with. How do we know that the third party is trusted?
Gigi3
100%
0%
Gigi3,
User Rank: Ninja
3/3/2015 | 4:22:22 AM
Re: McGladrey and Data breach advice
"So what is the middle ground? We cannot have other parties trying to spy on the data we have trusted them with. How do we know that the third party is trusted?"

Sunita, certified by trusted agencies with certifications or accreditations.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 12:41:57 PM
Re: McGladrey and Data breach advice
Intresting information, IT departments should give more importance to prevent external threats which can affect IT systems of an organization.


@Anon: The most interesting thing is that the security breaches (about more than 40% of them) occur due to internal exposures. IT companies need to screen their employees because that is where most people fail and security breaches are carried out.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:43:42 PM
Re: McGladrey and Data breach advice
@anon: I agree. IT departments are already looking into newer types of security. A lot of companies have adopted homomorphic encryption and biometrics as explained by one of the articles on this website.
StaceyE
50%
50%
StaceyE,
User Rank: Ninja
2/27/2015 | 2:18:08 PM
Re: McGladrey and Data breach advice
I agree with you completely. Security of data must be number one, and every possible step must be taken to avoid an external data breach. This is why security has to be an ongoing process with every company. System security must constantly evolve to keep up with the latest technology, and the latest threats. 

My doctors office refuses to use any type of technology for its patient information. The computers in their office are used to schedule appointments and keep patients contact information. I talked to my doctor about why they haven't adopted some type of CRM system for all their patient records and he said it is simply because they are afraid of a data breach. They would rather keep doing what they have been doing for decades (paper file) than risk losing patient data.
zerox203
100%
0%
zerox203,
User Rank: Ninja
2/14/2015 | 10:47:27 PM
Anthem Hack: Lessons For IT Leaders
This is actually the first time I'm hearing about this. No surprise that it's headlines news, considering who's involved, but it's much appreciated to have a more sober take that covers all the bases rather than the overly sationalized versions that are likely to pop up most places. As the linked article in defense of non-encryption points out, the public doesn't really understand encryption (in fact, even many seasoned IT pros really don't), but it sounds good to say someone dropped the ball by not doing it. I'm the first one to question whether we really need comprehensive security measures on every piece of data at every company - that said, I'll always temper that point by saying something like 'unless you're in a highly sensitive field'. Healthcare is certainly on that list of sensitive fields. 

That said, the smart money knows the IT security is a war of mitigation, not prevention. A breach is going to happen to everyone sometime, no matter how thorough your protection is. How you deal with the fallout, how quick your recovery is, and how you prepare for next time that count. Again, in this regard, Anthem earns some points. It looks like they're already offering customers free support for potential financial issues, and as you point out, they notified the FBI immediately. Still, the full extent of their future plans remains to be seen, and who knows how much of that trust they'll be able to regain. I don't know whether the multitude of recent breaches should be a wakeup call that we need stricter regulations, a wakeup call that these breaches are a fact of life, or both.
SaneIT
100%
0%
SaneIT,
User Rank: Ninja
2/16/2015 | 8:08:25 AM
Re: Anthem Hack: Lessons For IT Leaders
"I'm the first one to question whether we really need comprehensive security measures on every piece of data at every company"

@zerox203, I think this becomes truer IF, the company is careful about how they are designing systems, how and where the data is stored as well as what is publicly visible.  We've had a mentality of giving as much data as possible to everyone even in very public applications.  I think that in addition to encryption and increased network border protection we're going to start seeing data split into chunks that will avoid catastrophic damage if one part of it is leaked without the others.

 
yalanand
50%
50%
yalanand,
User Rank: Ninja
2/22/2015 | 2:16:25 PM
Re: Anthem Hack: Lessons For IT Leaders
@zerox203, I think this becomes truer IF, the company is careful about how they are designing systems, how and where the data is stored as well as what is publicly visible.  We've had a mentality of giving as much data as possible to everyone even in very public applications.  I think that in addition to encryption and increased network border protection we're going to start seeing data split into chunks that will avoid catastrophic damage if one part of it is leaked without the others.


That is not so simple. Making new gates means deciding who gets to see/use what and for that we need different sets of keys to be managed. Don't make gates, make better locks instead.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:22:36 PM
Re: Anthem Hack: Lessons For IT Leaders
@Yalanand: I agree with you. However if we factor into some of the shortcomings of making better locks (things like information leaking about the types of security you are using) then you would see having multiple locks would be a better option as breaking each of them would take time. I have learnt that IT security is about building weaker but huge amounts of walls that slow down the attack, rather than stop it entirely. 
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 12:27:53 PM
Re: Anthem Hack: Lessons For IT Leaders
@saneIT: I know about the different chunks of data having different kinds of encryption but trust me, allowing users to have much visisbility was never the right option for any developer because that raises a lot of questions and criticisms and not just that, it opens up the data insecurities and also endangers the user data.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
2/24/2015 | 8:03:48 AM
Re: Anthem Hack: Lessons For IT Leaders
@SachinEE, I understand. We've done a lot of enabling in the name of giving the end user as much data as we can but I also think that the amount of data being made available is one of the reasons people actually use the software.  People don't like being locked down and denied access to things that should be simple for them to have, they don't consider the security issues of making data easily accessible but that doesn't mean that denying them that access is good for the software developers.  If you have a perfectly secure product but no one is using it because they feel alienated you're not going to be in business long.  There has to be a balance and developers need to find that balance.  
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:31:19 PM
Re: Anthem Hack: Lessons For IT Leaders
@saneIT: Developers have had a lot of trouble in keeping up with what the management/marketing people promise and what they deliver. Developers have never on one occassion tried to come up with something that clearly has problems. They always want the most secure form of software usage, however they are blown away with the standards that marketing people have set for the software, and this mismatch creates all the problems for the software security.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
2/26/2015 | 8:03:12 AM
Re: Anthem Hack: Lessons For IT Leaders
@SunitaT0

I'm not at all blaming developers or programmers and I do understand that they aren't the ones making the feature requests.  My point is that access to any and all data has become the standard.  Not only do people want their data they want it presented in multiple ways, exportable and easy to manipulate.  What I'm saying here is that without giving customers what they want you won't have much of a business.  Finding the balance between keeping customers happy and keeping them protected is a tough one.  Make them jump through too many hoops and you'll lose them,  hide their data from them and you'll lose them, get hacked and leak their data and you're lose them after they blast your company on social media for a week or two.

 
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:25:15 PM
Re: Anthem Hack: Lessons For IT Leaders
@sachinEE: Data vulnerabilities would always be there and we cannot ensure proper protection to the end user, what we can do though, is facilitate alms to them in an event where such an attack occurs and people are affected.
Sacalpha1
50%
50%
Sacalpha1,
User Rank: Moderator
2/17/2015 | 3:39:48 PM
Anthem Should Be Punished for Breach
Note that my comments are all focused on Anthem consumer data and not employee data.  First, it is ridiculous that Anthem is storing social security numbers of consumers/insured.  HIPAA has required a non SSN based identifier for almost 10 years now and SSN is not required for any other valid insurance business purpose.  Add on top of this that the consumer/insured data was stored in an unencrypted format makes this pure negligence.  Also note these are the same bozos that had their insurance applicant system hacked about 3 years ago.  You'd think they would learn.

Until there is some consequence for companies, they will not change their behavior.  And there is no real consequence for Anthem.  They are in a fairly protected business with minimal customer turnover.  What are people going to do....stop their insurance?  And the complexity of corporate negotiation around benefits adminstration means few companes will take any action to change insurance adminstrators.

I am not a fan of big government, but this is one time I think the government should go after Anthem with both barrels, especially considering this is the second major incident in a relatively short period of time.  Anthem should be forced to pay $10s of millions in fines to the government, punitive monetary damages to every insured, and criminal negligence charges should be filed for storing unneeded SSN data (in violation of HIPPA) in an unencrypted format.

This kind of signifianct penalty is the only thing that will cause companies to change the way they behave.  Most companies like to make you think they care in their marketing and branding but in matter of fact their business processes say they don't care.  It's time for the public to stop accepting this kind of corporate behavior.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 12:25:43 PM
The difficulties of security
@yalanand: Different kinds of security measures lean of different preferences. You may think making a better lock is easy but it is not, since the same kind of technology is available to the developer and the hacker, and of course there is the problem of whistle blowing in organizations, internal corruption has to be dealt with.


State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll