In February 2015, personal account information was stolen from approximately 80 million customers of Anthem, one of the country’s largest health insurers. This personal information included names, birthdays, Social Security numbers, mailing addresses, e-mail addresses, income data, and employment information; no medical or credit card information was accessed. According to Anthem president and CEO Joseph Swedish, it was a complex cyber attack originating from an external source. Security experts involved in the investigation of the incident state that the attack looks very similar to other attacks launched by a Chinese cyber espionage group known as “Deep Panda.” This name was given to the group by the security firm, Crowdstrike. The following graphic, the ScanBox Framework, was created by Crowdstrike and illustrates servers and tools that have been used in the past by “Deep Panda” in several other cyber attacks. (Krebs, 2015)
There are several points to consider regarding Anthem’s failure to protect this information. Two of the preventative steps of a data breach are to continuously monitor for the leakage or loss of sensitive information and to periodically test and check information security controls. (US Department of Education, 2012) A federal agency known as the Office of Personnel Management’s Office of Inspector General (OIG) performs audits on various health insurers that provide health plans to federal employees. Less than a month following the attack, the OIG stated that Anthem refused to allow the agency to perform “standard vulnerability scan and configuration compliance tests” on their systems. Anthem also denied a similar request in 2013. In both instances, the company stated that ‘company policy’ was the reason for the refusal. (McGee, 2015) It is interesting to note that the investigation of the security breach revealed that the hackers may have begun accessing Anthem data as early as nine months prior to the company’s report of the attack. (Krebs, 2015) In addition, Anthem’s data was not encrypted. Encryption of data is an important method used in cyber security. This method uses mathematical algorithms to transform digital data into scrambled codes. Although the law does not require companies to use encryption with critical data, it should have been an additional step utilized by Anthem to protect their system. (Kern, 2015) (O’Brien & Marakas, 2011)
Although there were steps that Anthem did not take to prevent the attacks, the company did respond correctly by notifying the affected customers quickly. Federal law requires healthcare companies to inform consumers if they have a data breach involving personal information, but they have up to 60 days after discovery of the attack to do so. (Mathews & Yadron, 2015) A website was created to educate their customers and they offered those affected free credit monitoring and theft identity protection services. They also contacted the FBI immediately and hired an independent security monitoring company to evaluate their system. It is important to act swiftly in this situation because hackers are able to destroy evidence once they are aware they are under investigation. (Weise, 2015)
The financial consequences of the data breach may reach more than 100 million dollars. Anthem’s cyberinsurance policy covered losses up to 100 million; however, with 80 million affected customers, the amount necessary for notification procedures may have exceeded this amount. (Osborne, 2015) In addition, this amount does not include the losses incurred by the affected customers that may consequently become victims of identity theft.
Cyber
crime statistics and trends. (2015). Go
Gulf. Retrieved April 17, 2015 from http://www.go-gulf.com/blog/cyber-crime/
Kern, C. (2015, Feb 20). Anthem breach leads to push for encryption legislation. Health IT Outcomes.
Retrieved from www.healthitoutcomes.com
Krebs, B. (2015, Feb 9).Anthem breach may have started in
April 2014.Krebs on Security. Retrieved
April 17, 2015 from www.krebsonsecurity.com
Mathews, A & Yadron, D. (2015,
Feb 14). Heatlh insurer Anthem hit by hackers.Wall Street Journal.Retrieved April 18, 2015 from www.wsj.com
McGee, M. (2015, March 4). Anthem refuses full IT security
audit. Gov Info Security. Retrieved
from www.govinfosecurity.com
O’Brien, J. & Marakas, G. (2011). Management Information Systems. New York, NY: McGraw-Hill Companies
Osborne,
C. (2015, Feb 12). Cost of Anthem’s data breach likely to exceed $100 million. CNET. Retrieved from www.cnet.com
U.S. Department of Education: Privacy Technical Assistance
Center. (2012). Data Breach Response
Checklist (PTAC-CL). Retrieved April 17, 2015 from www.ptac.ed.gov
Weise, E. (2015, Feb 5). Massive
breach at health care company Anthem Inc. USA
Today. Retrieved from www.usatoday.com
Group 1 Response: Chad, Joel, & Janine
ReplyDeleteVery informative post, but our initial reaction is “Wow!” 80 million people affected by one data breach. We would imagine the customers of Anthem should be relieved their credit card and medical records were not accessed, but when the hacker has your name, birthday, Social Security Number, mailing address, e-mail address, income data, and employment information, the results of your last colonoscopy is fairly irrelevant. We found two very shocking revelations in your blog, the first being that Anthem could legally refuse the Office of Inspector General to perform a standard vulnerability scan and configuration compliance test on Anthem’s system, especially since Anthem insures federal employees. And secondly, and probably more shocking, we find it absurd there is no law requiring encryption on this type of data.
Katie Wike’s article on Health IT Outcomes states the Senate Health, Education, Labor and Pensions Committee will be overseeing the review of healthcare information security in a bipartisan inquiry. Wike also noted encryption would not have prevented the hacker from getting into Anthem’s system since they were using system administrator's ID and password. (Wike, 2015) As you mentioned in your blog, our textbook states that 6-8% of an IT department’s budget is spent on security. (O'Brien & Marakas, 2011) If encryption is not the only answer to solving situations such as this, what is? It is possible that instead of using standard usernames and passwords, administrators could use fingerprint readers to gain access to the information. We are quite positive Anthem’s insurance provider would sleep better knowing there were additional measures to safeguard their $100 million policy.
O'Brien, J. A., & Marakas, G. M. (2011). Management Information Systems 10 Edition. New York: McGraw Hill.
Wike, K. (2015, February 19). Should HIPPA Encryption Be Legislated? Retrieved from Health IT Outcomes: http://www.healthitoutcomes.com/doc/should-hipaa-encryption-be-legislated-0001
Very interesting statistics on the global cost of cyber-crime. It is certainly a critical item becoming more prominent as time goes on. It is a shame Anthem had corporate policies which prevented the OIG from completing the, much needed in this case, vulnerability scans and compliance tests. It reminds one of the adage, ‘pay now or pay later’. Anthem paid for it big time later and may have been better prepared had they adjusted their company policy to allow minimum scans and tests to be conducted prior to any data breaches. Anthem could search and hire the talent necessary, from an internal standpoint, to complete data security testing, but this comes at a cost; the talent isn’t always easy to find nor reasonable (Cannon, n.d.). Other challenges when you get into the healthcare realm, such as Anthem, is that of competition, budget, and older technology (Cannon, n.d.).
ReplyDeleteYou bring out excellent points on how Anthem reacted professionally to the data breach. They were quick to notify their affected customers and provide credit monitoring and identity theft protection. With an estimated 22% of US companies experiencing some sort of data breach, it is imperative that organizations work to prevent data breaches and do so closer to the source, the data (Korolov, 2015). Two areas Anthem, Sony, Target, Home Depot, and any other company who has experienced a data breach of any magnitude should look into shifting their focus closer to the data and enhance internal controls such as encryption and controlled access (Korolov, 2015).
Group 5: Andrew Sorkin, Chris Pensinger, & Nathaniel Gibson
References
Cannon, T. (n.d.). The Root of the Problem: How to Prevent Security Breaches. Retrieved from http://www.wired.com/2015/02/the-root-of-the-security-problem/
Korolov, M. (2015, January 21). Security priorities shifting to preventing breaches, improving internal controls. Retrieved from http://www.csoonline.com/article/2872310/data-protection/security-priorities-shifting-to-preventing-breaches-improving-internal-controls.html