When Anthem became the latest high-profile hack victim to grace headlines last week, it would be impossible not to wonder what would happen at your own organization should a similar breach occur. There are two key lessons that IT can take away from the Anthem breach.
The first is to remember that the business decisions you're making today about whether or not to encrypt data can have significant and oftentimes unintended consequences. The second is to ask yourself whether you and other decision-makers in your organization truly understand the value of your data. While those working in retail and financial services have long been on the front lines on the cyber security wars, the breach of medical information is a wake-up call to the fact that other types of data are also valuable to criminals. It's time to audit the data you have on your customers (and your employees), examine who in your organization has access to that data, and consider whether the things you consider to be low-risk might, in fact, be coveted by hackers.
All of Anthem's business units were affected by the data breach, which may have been going on for longer than 10 months. The number of people whose data have been compromised has not yet been determined, but experts estimate the figure to be well into the tens of millions -- a number that includes not only customers, but also Anthem employees.
On February 4, Anthem -- one of the nation's largest health insurers, formerly known as Wellpoint -- reported that attackers obtained the names, dates of birth, Social Security numbers, medical identification numbers, street addresses, email addresses, income data, employment information, and other personal information of current and former members.
The data was unencrypted. The import of this fact has sparked debate. Apologists note that:
- In this particular circumstance, Anthem's declination to encrypt the impacted data might not have been a HIPAA violation; and
- Encrypting the data would not have protected Anthem from this attack anyway (and thus would not have triggered a "safe harbor" that would mitigate Anthem's duty to notify its customers).
The public and the pundits alike are fuming regardless -- and, to be fair, it makes sense for them to do so. If you don't encrypt your data, that represents a symptom of other substandard security practices and a substandard security culture. (Maybe the person making your Big Mac actually has clean hands, but you'd still want to see McDonald's food preppers utilizing protective gloves properly.) Any CIO should expect customers to balk in such a situation. Encryption is important. Period.
[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]
Alas, many healthcare companies lag far behind other industries in taking proper data security measures in general (like -- ahem -- encryption). This is despite the fact that medical credentials can be worth many times more on the black market than credit card numbers. Little wonder, then, that healthcare organizations are highly desirable targets for hackers these days.
Identify your most vulnerable data
Credit card information and medical histories reportedly were untouched in the Anthem breach -- or so it appears from the investigation so far. Nevertheless, despite the lack of direct financial data compromised, millions of consumers -- and possibly their employers -- may be financially vulnerable. On top of the Anthem-related phishing attacks consumers are already facing, experts familiar with the Anthem investigation warn that data gleaned from hacks such as these could be used to blackmail high-profile individuals into compromising proprietary data and national security secrets.
Put another way: The bad guys don't have to hack your secure systems; they just have to hack your EVP's email account or your IT administrator's health records.
Indeed, among its millions of victims, the Anthem hack netted data belonging to VIPs -- including President Obama's chief cyber security advisor, Michael Daniel (perhaps helping to account for why Anthem, unlike many other compromised companies, reported the breach to the public long before it was legally obligated to do so). With Chinese state-sponsored hackers being suspected of perpetrating the Anthem hack, the idea of government officials' personal data being compromised is all the more disconcerting.
What, then, are feasible solutions for companies to undertake to protect themselves from compromised employees -- employees who may be incentivized to go rogue? "It's a tough question. We wrestle with it every day," says Alia Luria, a data privacy associate with Akerman LLP. "[An employee's] weakness is embarrassment and fear -- be it for their job, reputation, or family -- and that is pretty universal. … If the worries about criminal charges or the civil penalties of espionage aren't sufficient, companies may have to get creative." Still, there are at least a few ways to discourage employees from doing the wrong thing.
"You can't force [employees] to enable two-factor on their personal accounts, but there [are] other ways to incentivize," avers Luria, recommending gamification incentives, cash, and other perks for employees who complete security training, use approved technologies and employer-issued devices that the company can more easily regulate, and even come forward and report an incident if their personal data is compromised and/or held hostage.
There are also prophylactic measures enterprises can take to prevent insider access from ever becoming compromised.
"Part of it has to do with proper segregation of information. You don't grant access to sensitive information to people who don't need to know it. You disable access upon termination," Luria urges. She further recommends that multi-factor authentication always be employed -- so that even if an employee's credentials become compromised through extortion or otherwise, they're not enough without the additional factor of a security token-generated single-use code, a biometric scan, or something else.
"Those standard measures can cut down how easy it is to exploit individuals," says Luria.
What are your biggest concerns in the wake of the Anthem breach? Are there IT, business, or security practices that you're re-evaluating in your organization? Tell us about it in the comments section below.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.