Anthem hack: Employee access, not encryption, the problem

Tools

As the investigations and lawsuits roll in over the breach of health insurance company Anthem, the industry is taking a closer look at the company's security practices.

Some initial reports on the cyberattack, which impacted about 80 million current and former Anthem consumers, cited lack of encryption as a possible failing on Anthem's part. However, just because the information wasn't encrypted doesn't mean it wouldn't have been compromised anyway, according to an article in MIT Technology Review.

HIPAA currently doesn't require encryption, it only encourages it. However, in the wake of the Anthem breach, federal officials plan to review whether encryption should be a requirement. The Senate Health, Education, Labor and Pensions committee on Friday said it will take up the matter as part of a bipartisan review of health information security.

But even so, encryption alone won't keep data safe, according to Ken Westin, senior security analyst specializing in cybercrime and threat intelligence for computer security company Tripwire Inc.

"Encryption is great for securing data in transit and at rest, but if the credentials and keys are compromised it does little to protect the data," Westin writes.

In fact, Anthem says the hackers had access to at least five sets of employee credentials, according to U.S. News and World Report. 

In New York, the Department of Financial Services is already taking steps to strengthen its cyberdefenses, according to an announcement. The department plans on implementing assessments of cybersecurity preparedness at insurance companies throughout the state and will put forward stronger regulations on cybersecurity, among other initiatives.

"Recent cybersecurity breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyberdefenses. ... Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data," Benjamin M. Lawsky, superintendent of the department, said in the announcement.

However, aside from stronger defenses, a large problem, according to Westin, is giving too many employees access to sensitive data, as well as access security controls to that data. Once a cybercriminal can identify who has access to information, they can figure out a way to get that user's credentials, and eventually use that to hack into the system.

To that end, some security experts say healthcare companies should be more concerned about threats from within the organization.

Joseph Smith, who retired from his post as CIO of Arkansas Blue Cross and Blue Shield last year, says that poor data habits from company employees are cause for concern.

"It's always unintentional or innocent, but your biggest risk is your own employees," Smith recently said. "With Target, the hacker posed as a vendor, someone was duped innocently--and there you go."

Anthem's headaches post-breach are just beginning. The insurance company also is warning that there are scam email campaigns targeting its members. The phishing emails look like they're from the company, but are not, Anthem has told consumers. The company is warning people not to click on links in email, reply to the messages or reach out to the senders.

"Anthem is not calling members regarding the cyberattack and is not asking for credit card information or social security numbers over the phone," the company says.

To learn more:
- read the MIT article
- here's the U.S. News & World Report article
- here's the Anthem announcement
- check out the NYDSF announcement

Related Articles:
Anthem hack compromises info for 80 million customers
Details emerge in Anthem hack
Security experts on Anthem breach: The biggest threat lurks inside your company
NAIC calls for multi-state examination of Anthem following hack