Anthem Hack: Lessons For IT Leaders - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership
Commentary
2/12/2015
12:06 PM
Joe Stanganelli
Joe Stanganelli
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

Anthem Hack: Lessons For IT Leaders

There are two key lessons that IT can learn from the Anthem breach.

10 Cloud Migration Mistakes To Avoid
10 Cloud Migration Mistakes To Avoid
(Click image for larger view and slideshow.)

When Anthem became the latest high-profile hack victim to grace headlines last week, it would be impossible not to wonder what would happen at your own organization should a similar breach occur. There are two key lessons that IT can take away from the Anthem breach.

The first is to remember that the business decisions you're making today about whether or not to encrypt data can have significant and oftentimes unintended consequences. The second is to ask yourself whether you and other decision-makers in your organization truly understand the value of your data. While those working in retail and financial services have long been on the front lines on the cyber security wars, the breach of medical information is a wake-up call to the fact that other types of data are also valuable to criminals. It's time to audit the data you have on your customers (and your employees), examine who in your organization has access to that data, and consider whether the things you consider to be low-risk might, in fact, be coveted by hackers.

All of Anthem's business units were affected by the data breach, which may have been going on for longer than 10 months. The number of people whose data have been compromised has not yet been determined, but experts estimate the figure to be well into the tens of millions -- a number that includes not only customers, but also Anthem employees.

(Image source: Geralt via Pixabay.)

(Image source: Geralt via Pixabay.)

On February 4, Anthem -- one of the nation's largest health insurers, formerly known as Wellpoint -- reported that attackers obtained the names, dates of birth, Social Security numbers, medical identification numbers, street addresses, email addresses, income data, employment information, and other personal information of current and former members.

The data was unencrypted. The import of this fact has sparked debate. Apologists note that:

  • In this particular circumstance, Anthem's declination to encrypt the impacted data might not have been a HIPAA violation; and
  • Encrypting the data would not have protected Anthem from this attack anyway (and thus would not have triggered a "safe harbor" that would mitigate Anthem's duty to notify its customers).

The public and the pundits alike are fuming regardless -- and, to be fair, it makes sense for them to do so. If you don't encrypt your data, that represents a symptom of other substandard security practices and a substandard security culture. (Maybe the person making your Big Mac actually has clean hands, but you'd still want to see McDonald's food preppers utilizing protective gloves properly.) Any CIO should expect customers to balk in such a situation. Encryption is important. Period.

[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]

Alas, many healthcare companies lag far behind other industries in taking proper data security measures in general (like -- ahem -- encryption). This is despite the fact that medical credentials can be worth many times more on the black market than credit card numbers. Little wonder, then, that healthcare organizations are highly desirable targets for hackers these days.

Identify your most vulnerable data

Credit card information and medical histories reportedly were untouched in the Anthem breach -- or so it appears from the investigation so far. Nevertheless, despite the lack of direct financial data compromised, millions of consumers -- and possibly their employers -- may be financially vulnerable. On top of the Anthem-related phishing attacks consumers are already facing, experts familiar with the Anthem investigation warn that data gleaned from hacks such as these could be used to blackmail high-profile individuals into compromising proprietary data and national security secrets.

Put another way: The bad guys don't have to hack your secure systems; they just have to hack your EVP's email account or your IT administrator's health records.

Indeed, among its millions of victims, the Anthem hack netted data belonging to VIPs -- including President Obama's chief cyber security advisor, Michael Daniel (perhaps helping to account for why Anthem, unlike many other compromised companies, reported the breach to the public long before it was legally obligated to do so). With Chinese state-sponsored hackers being suspected of perpetrating the Anthem hack, the idea of government officials' personal data being compromised is all the more disconcerting.

What, then, are feasible solutions for companies to undertake to protect themselves from compromised employees -- employees who may be incentivized to go rogue? "It's a tough question. We wrestle with it every day," says Alia Luria, a data privacy associate with Akerman LLP. "[An employee's] weakness is embarrassment and fear -- be it for their job, reputation, or family -- and that is pretty universal. … If the worries about criminal charges or the civil penalties of espionage aren't sufficient, companies may have to get creative." Still, there are at least a few ways to discourage employees from doing the wrong thing.

"You can't force [employees] to enable two-factor on their personal accounts, but there [are] other ways to incentivize," avers Luria, recommending gamification incentives, cash, and other perks for employees who complete security training, use approved technologies and employer-issued devices that the company can more easily regulate, and even come forward and report an incident if their personal data is compromised and/or held hostage.

There are also prophylactic measures enterprises can take to prevent insider access from ever becoming compromised.

"Part of it has to do with proper segregation of information. You don't grant access to sensitive information to people who don't need to know it. You disable access upon termination," Luria urges. She further recommends that multi-factor authentication always be employed -- so that even if an employee's credentials become compromised through extortion or otherwise, they're not enough without the additional factor of a security token-generated single-use code, a biometric scan, or something else.

"Those standard measures can cut down how easy it is to exploit individuals," says Luria.

What are your biggest concerns in the wake of the Anthem breach? Are there IT, business, or security practices that you're re-evaluating in your organization? Tell us about it in the comments section below.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
jastroff
100%
0%
jastroff,
User Rank: Ninja
2/12/2015 | 4:56:40 PM
Anthem Hack
@joe -- great article - covers all the bases so well.

>> What, then, are feasible solutions for companies to undertake to protect themselves from compromised employees -- employees who may be incentivized to go rogue?

Or employees who may be blackmailed because of the information, no? It seems that this attack was looking for people to exploit politically, etc. 

 

 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Author
2/12/2015 | 10:02:48 PM
Re: Anthem Hack
@jastroff: Not necessarily -- although certainly a distinct possibility that one must keep in mind, particularly when thinking about one's own organization.  Many healthcare companies, of course, are highly desired targets right now for the reasons I mentioned.  It's a lot easier to cancel a credit card than it is to protect your EMRs.
anon6262781453
100%
0%
anon6262781453,
User Rank: Apprentice
2/13/2015 | 7:28:21 AM
McGladrey and Data breach advice
Intresting information, IT departments should give more importance to prevent external threats which can affect IT systems of an organization. Companies should adopt new technology to improve customer experience and take adequate measures to ensure they have a secure and protected system. I work for McGladrey and there is an infograph in our website.  bit.ly/mcgldrydatabreach
SaneIT
100%
0%
SaneIT,
User Rank: Ninja
2/13/2015 | 8:16:55 AM
Re: Anthem Hack
In cases like this if the goal is blackmail then it's usually pointed at the target not the employees, patients, etc.  Blackmailing thousands of people for some smaller pay off isn't worth the effort or risk, since the more communication you have with victims the more likely you are to give up information that will lead to you being caught.  The data theft is usually intended for simpler crimes like credit card fraud on a large scale that can go unnoticed for a period of time under the radar.  Drawing attention to themselves is not in their best interest for hackers breaking into these systems.  
zerox203
100%
0%
zerox203,
User Rank: Ninja
2/14/2015 | 10:47:27 PM
Anthem Hack: Lessons For IT Leaders
This is actually the first time I'm hearing about this. No surprise that it's headlines news, considering who's involved, but it's much appreciated to have a more sober take that covers all the bases rather than the overly sationalized versions that are likely to pop up most places. As the linked article in defense of non-encryption points out, the public doesn't really understand encryption (in fact, even many seasoned IT pros really don't), but it sounds good to say someone dropped the ball by not doing it. I'm the first one to question whether we really need comprehensive security measures on every piece of data at every company - that said, I'll always temper that point by saying something like 'unless you're in a highly sensitive field'. Healthcare is certainly on that list of sensitive fields. 

That said, the smart money knows the IT security is a war of mitigation, not prevention. A breach is going to happen to everyone sometime, no matter how thorough your protection is. How you deal with the fallout, how quick your recovery is, and how you prepare for next time that count. Again, in this regard, Anthem earns some points. It looks like they're already offering customers free support for potential financial issues, and as you point out, they notified the FBI immediately. Still, the full extent of their future plans remains to be seen, and who knows how much of that trust they'll be able to regain. I don't know whether the multitude of recent breaches should be a wakeup call that we need stricter regulations, a wakeup call that these breaches are a fact of life, or both.
Gigi3
100%
0%
Gigi3,
User Rank: Ninja
2/16/2015 | 7:05:15 AM
Re: McGladrey and Data breach advice
"Intresting information, IT departments should give more importance to prevent external threats which can affect IT systems of an organization. Companies should adopt new technology to improve customer experience and take adequate measures to ensure they have a secure and protected system."

Anon, you are right. Data threat and security are a major issues with online, especially with networked devices. how far your system/data is safer is a big question and companies are spending millions of dollars every year to safe guard their information and hack free.
SaneIT
100%
0%
SaneIT,
User Rank: Ninja
2/16/2015 | 8:08:25 AM
Re: Anthem Hack: Lessons For IT Leaders
"I'm the first one to question whether we really need comprehensive security measures on every piece of data at every company"

@zerox203, I think this becomes truer IF, the company is careful about how they are designing systems, how and where the data is stored as well as what is publicly visible.  We've had a mentality of giving as much data as possible to everyone even in very public applications.  I think that in addition to encryption and increased network border protection we're going to start seeing data split into chunks that will avoid catastrophic damage if one part of it is leaked without the others.

 
Sacalpha1
50%
50%
Sacalpha1,
User Rank: Moderator
2/17/2015 | 3:39:48 PM
Anthem Should Be Punished for Breach
Note that my comments are all focused on Anthem consumer data and not employee data.  First, it is ridiculous that Anthem is storing social security numbers of consumers/insured.  HIPAA has required a non SSN based identifier for almost 10 years now and SSN is not required for any other valid insurance business purpose.  Add on top of this that the consumer/insured data was stored in an unencrypted format makes this pure negligence.  Also note these are the same bozos that had their insurance applicant system hacked about 3 years ago.  You'd think they would learn.

Until there is some consequence for companies, they will not change their behavior.  And there is no real consequence for Anthem.  They are in a fairly protected business with minimal customer turnover.  What are people going to do....stop their insurance?  And the complexity of corporate negotiation around benefits adminstration means few companes will take any action to change insurance adminstrators.

I am not a fan of big government, but this is one time I think the government should go after Anthem with both barrels, especially considering this is the second major incident in a relatively short period of time.  Anthem should be forced to pay $10s of millions in fines to the government, punitive monetary damages to every insured, and criminal negligence charges should be filed for storing unneeded SSN data (in violation of HIPPA) in an unencrypted format.

This kind of signifianct penalty is the only thing that will cause companies to change the way they behave.  Most companies like to make you think they care in their marketing and branding but in matter of fact their business processes say they don't care.  It's time for the public to stop accepting this kind of corporate behavior.
yalanand
50%
50%
yalanand,
User Rank: Ninja
2/22/2015 | 2:16:25 PM
Re: Anthem Hack: Lessons For IT Leaders
@zerox203, I think this becomes truer IF, the company is careful about how they are designing systems, how and where the data is stored as well as what is publicly visible.  We've had a mentality of giving as much data as possible to everyone even in very public applications.  I think that in addition to encryption and increased network border protection we're going to start seeing data split into chunks that will avoid catastrophic damage if one part of it is leaked without the others.


That is not so simple. Making new gates means deciding who gets to see/use what and for that we need different sets of keys to be managed. Don't make gates, make better locks instead.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 12:25:43 PM
The difficulties of security
@yalanand: Different kinds of security measures lean of different preferences. You may think making a better lock is easy but it is not, since the same kind of technology is available to the developer and the hacker, and of course there is the problem of whistle blowing in organizations, internal corruption has to be dealt with.
Page 1 / 3   >   >>
News
8 AI Trends in Today's Big Enterprise
Jessica Davis, Senior Editor, Enterprise Apps,  9/11/2019
Slideshows
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Commentary
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll