Anthem Hack: Lessons For IT Leaders - InformationWeek
IoT
IoT
IT Leadership
Commentary
2/12/2015
12:06 PM
Joe Stanganelli
Joe Stanganelli
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

Anthem Hack: Lessons For IT Leaders

There are two key lessons that IT can learn from the Anthem breach.

10 Cloud Migration Mistakes To Avoid
10 Cloud Migration Mistakes To Avoid
(Click image for larger view and slideshow.)

When Anthem became the latest high-profile hack victim to grace headlines last week, it would be impossible not to wonder what would happen at your own organization should a similar breach occur. There are two key lessons that IT can take away from the Anthem breach.

The first is to remember that the business decisions you're making today about whether or not to encrypt data can have significant and oftentimes unintended consequences. The second is to ask yourself whether you and other decision-makers in your organization truly understand the value of your data. While those working in retail and financial services have long been on the front lines on the cyber security wars, the breach of medical information is a wake-up call to the fact that other types of data are also valuable to criminals. It's time to audit the data you have on your customers (and your employees), examine who in your organization has access to that data, and consider whether the things you consider to be low-risk might, in fact, be coveted by hackers.

All of Anthem's business units were affected by the data breach, which may have been going on for longer than 10 months. The number of people whose data have been compromised has not yet been determined, but experts estimate the figure to be well into the tens of millions -- a number that includes not only customers, but also Anthem employees.

(Image source: Geralt via Pixabay.)

(Image source: Geralt via Pixabay.)

On February 4, Anthem -- one of the nation's largest health insurers, formerly known as Wellpoint -- reported that attackers obtained the names, dates of birth, Social Security numbers, medical identification numbers, street addresses, email addresses, income data, employment information, and other personal information of current and former members.

The data was unencrypted. The import of this fact has sparked debate. Apologists note that:

  • In this particular circumstance, Anthem's declination to encrypt the impacted data might not have been a HIPAA violation; and
  • Encrypting the data would not have protected Anthem from this attack anyway (and thus would not have triggered a "safe harbor" that would mitigate Anthem's duty to notify its customers).

The public and the pundits alike are fuming regardless -- and, to be fair, it makes sense for them to do so. If you don't encrypt your data, that represents a symptom of other substandard security practices and a substandard security culture. (Maybe the person making your Big Mac actually has clean hands, but you'd still want to see McDonald's food preppers utilizing protective gloves properly.) Any CIO should expect customers to balk in such a situation. Encryption is important. Period.

[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]

Alas, many healthcare companies lag far behind other industries in taking proper data security measures in general (like -- ahem -- encryption). This is despite the fact that medical credentials can be worth many times more on the black market than credit card numbers. Little wonder, then, that healthcare organizations are highly desirable targets for hackers these days.

Identify your most vulnerable data

Credit card information and medical histories reportedly were untouched in the Anthem breach -- or so it appears from the investigation so far. Nevertheless, despite the lack of direct financial data compromised, millions of consumers -- and possibly their employers -- may be financially vulnerable. On top of the Anthem-related phishing attacks consumers are already facing, experts familiar with the Anthem investigation warn that data gleaned from hacks such as these could be used to blackmail high-profile individuals into compromising proprietary data and national security secrets.

Put another way: The bad guys don't have to hack your secure systems; they just have to hack your EVP's email account or your IT administrator's health records.

Indeed, among its millions of victims, the Anthem hack netted data belonging to VIPs -- including President Obama's chief cyber security advisor, Michael Daniel (perhaps helping to account for why Anthem, unlike many other compromised companies, reported the breach to the public long before it was legally obligated to do so). With Chinese state-sponsored hackers being suspected of perpetrating the Anthem hack, the idea of government officials' personal data being compromised is all the more disconcerting.

What, then, are feasible solutions for companies to undertake to protect themselves from compromised employees -- employees who may be incentivized to go rogue? "It's a tough question. We wrestle with it every day," says Alia Luria, a data privacy associate with Akerman LLP. "[An employee's] weakness is embarrassment and fear -- be it for their job, reputation, or family -- and that is pretty universal. … If the worries about criminal charges or the civil penalties of espionage aren't sufficient, companies may have to get creative." Still, there are at least a few ways to discourage employees from doing the wrong thing.

"You can't force [employees] to enable two-factor on their personal accounts, but there [are] other ways to incentivize," avers Luria, recommending gamification incentives, cash, and other perks for employees who complete security training, use approved technologies and employer-issued devices that the company can more easily regulate, and even come forward and report an incident if their personal data is compromised and/or held hostage.

There are also prophylactic measures enterprises can take to prevent insider access from ever becoming compromised.

"Part of it has to do with proper segregation of information. You don't grant access to sensitive information to people who don't need to know it. You disable access upon termination," Luria urges. She further recommends that multi-factor authentication always be employed -- so that even if an employee's credentials become compromised through extortion or otherwise, they're not enough without the additional factor of a security token-generated single-use code, a biometric scan, or something else.

"Those standard measures can cut down how easy it is to exploit individuals," says Luria.

What are your biggest concerns in the wake of the Anthem breach? Are there IT, business, or security practices that you're re-evaluating in your organization? Tell us about it in the comments section below.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
StaceyE
50%
50%
StaceyE,
User Rank: Ninja
3/24/2015 | 1:16:57 PM
Re: Anthem Hack
@ SaneIT

Very true. Then you have employees that don't follow protocols and put information at even greater risk. (Like someone we all know of that chose to employ her own server and email account while working for the state department...no names mentioned of course....)
Gigi3
100%
0%
Gigi3,
User Rank: Ninja
3/3/2015 | 4:22:22 AM
Re: McGladrey and Data breach advice
"So what is the middle ground? We cannot have other parties trying to spy on the data we have trusted them with. How do we know that the third party is trusted?"

Sunita, certified by trusted agencies with certifications or accreditations.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
3/2/2015 | 8:03:37 AM
Re: Anthem Hack
@StaceyE, a lot of professionals miss this point. They assume that they'll never get hacked or if it does happen that they'll notice right away and be able to shut the attack down quickly.  What we're seeing in the past 5 years or so are really slow leaks that go unnoticed for months if not years because thieves are not after a one time win.  They know that small transactions get lost in the noise and they are happy to have many small wins over one gigantic win that gets them shut down quickly.  We're crossing a threshold with cyber security now where we need to get our act together, most of the companies who have lost massive amounts of data have more people guarding their offices from people trying to steal paper and staplers than they have guarding their customer data. 
StaceyE
50%
50%
StaceyE,
User Rank: Ninja
2/27/2015 | 2:18:08 PM
Re: McGladrey and Data breach advice
I agree with you completely. Security of data must be number one, and every possible step must be taken to avoid an external data breach. This is why security has to be an ongoing process with every company. System security must constantly evolve to keep up with the latest technology, and the latest threats. 

My doctors office refuses to use any type of technology for its patient information. The computers in their office are used to schedule appointments and keep patients contact information. I talked to my doctor about why they haven't adopted some type of CRM system for all their patient records and he said it is simply because they are afraid of a data breach. They would rather keep doing what they have been doing for decades (paper file) than risk losing patient data.
StaceyE
50%
50%
StaceyE,
User Rank: Ninja
2/27/2015 | 2:12:18 PM
Re: Anthem Hack
Very good point. I think you are absolutely right. The least attention you get, the more apt you are to get away with the crime. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
2/26/2015 | 8:03:12 AM
Re: Anthem Hack: Lessons For IT Leaders
@SunitaT0

I'm not at all blaming developers or programmers and I do understand that they aren't the ones making the feature requests.  My point is that access to any and all data has become the standard.  Not only do people want their data they want it presented in multiple ways, exportable and easy to manipulate.  What I'm saying here is that without giving customers what they want you won't have much of a business.  Finding the balance between keeping customers happy and keeping them protected is a tough one.  Make them jump through too many hoops and you'll lose them,  hide their data from them and you'll lose them, get hacked and leak their data and you're lose them after they blast your company on social media for a week or two.

 
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:43:42 PM
Re: McGladrey and Data breach advice
@anon: I agree. IT departments are already looking into newer types of security. A lot of companies have adopted homomorphic encryption and biometrics as explained by one of the articles on this website.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:34:39 PM
Re: McGladrey and Data breach advice
@gigi3: So what is the middle ground? We cannot have other parties trying to spy on the data we have trusted them with. How do we know that the third party is trusted?
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:31:19 PM
Re: Anthem Hack: Lessons For IT Leaders
@saneIT: Developers have had a lot of trouble in keeping up with what the management/marketing people promise and what they deliver. Developers have never on one occassion tried to come up with something that clearly has problems. They always want the most secure form of software usage, however they are blown away with the standards that marketing people have set for the software, and this mismatch creates all the problems for the software security.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
2/25/2015 | 1:25:15 PM
Re: Anthem Hack: Lessons For IT Leaders
@sachinEE: Data vulnerabilities would always be there and we cannot ensure proper protection to the end user, what we can do though, is facilitate alms to them in an event where such an attack occurs and people are affected.
Page 1 / 3   >   >>
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll