Anthem Hack: Was It Preventable?

As details of last week’s Anthem hack of up to 80 million customer records continue to emerge, it appears that some fundamental security controls—such as two-factor authentication and encryption—could have helped prevent or significantly minimize the attack. Reports suggest that attackers accessed Anthem’s database using a stolen name and password obtained from one of the company’s senior administrators. If a successful spearphishing attack is found to be the culprit, it will serve as an important reminder of the need for information security policies that utilize security layers and deploy available tools at multiple levels to protect organizational data.

As of today, tens of millions of Anthem customers deal with the fallout. Anthem customers’ most privy personally identifiable information is now available to attackers: social security numbers, addresses, birthdates, phone numbers, e-mail addresses, and employment information (such as their salaries). It’s hard to imagine that it could have been worse, but at least Anthem indicated that no medical records were stolen, and no credit card numbers appear to have been swiped. With Anthem being a healthcare-related organization, it’s no surprise that they would be targeted for any Private Healthcare Information (PHI) they hold, with reports claiming the value of medical records on the black market today to be up to $50 per record.

The negative consequences of leaked social security numbers can be enduring for Anthem’s customers. As the baseline method of identification in the U.S., social security numbers can be used to imitate someone’s identity, including applying for credit cards or even filing fraudulent tax refunds in the victim’s name. Since a social security number is an underlying form of personal identity, it’s not easily changed without enduring a painful process. A credit card, on the other hand, could easily be canceled with a new one to be issued.

Needless to say, the impacts of this breach will endure for many months, and even years. The first class-action lawsuits against Anthem reportedly have already been filed.

Lessons Learned

The Anthem hack, unfortunately, seems to fit into a cycle in which large organizations suffering from stolen data is a nearly daily occurrence. But what can organizations do better to protect confidential information, especially in the healthcare space? And what can and should consumers demand of the places where they do business?

The answer starts in organizations across the board more regularly applying basic security layers such as strong authentication and encryption when securing informational assets.

Initially reported as a “sophisticated” attack, if a stolen username and password could give access to customer data, it seems that by requiring two-factor authentication for its employees and contractors Anthem very likely could have prevented this attack. Though phishing attempts appeared to have netted the Anthem attackers a treasure trove of administrative passwords, they still would not have been able to access the company’s database of its customers’ personal information without an administrator’s trusted device or physical token if multi-factor authentication had been implemented.

Further access controls might also have helped, though it’s too early to tell with the limited details released at this time. One good tool for strong authentication to critical resources is the deployment of digital certificates for each user and device within the organization, which can allow administrators to set parameters for privileged access and help mitigate such attacks. Brute forcing appropriately keyed certificates is computationally infeasible today, making them a suitable replacement to simple passwords which are all too often revealed with minimal effort.

Reports also indicate that the data stolen from Anthem was not encrypted while stored in the company’s databases. Though attackers with full administrative rights still potentially could have been able to defeat file encryption, the fact that no encryption was applied at all highlights an important lack of following best practices. Encryption would have provided yet another layer of defense for would be attackers to have to defeat before they could steal the data.

Traditionally, when it comes to applying key information security best practices, the healthcare industry as a whole has perhaps lagged behind other industries. This is somewhat surprising given the heavily regulated environment in which healthcare operates (being subject to HIPAA and other laws). Yet, regulators have always been reluctant to require full disk encryption for healthcare data, due to private industry concerns about the added costs of encryption. Now that this hack has come to light, will it cause encryption to be standardized by government regulation? Efforts underway at the Office of the National Coordinator for the Department of Health and Human Services, even before this breach was announced, would suggest that things are about to change. Basic encryption is affordable and much less costly than the estimated more than $100 million damage inflicted by this particular breach.

Perhaps, regulators, policy makers, and the healthcare industry need look no further than the adoption of authentication and encryption policies taking place within Directed Exchange of electronic health records as an example of how to successfully implement available technologies. PKI is enabling the use of available technology to provide important consumer protections and advance healthcare data transport and exchange practices.

Stemming the Tide

One thing’s for certain: attacks are not about to stop and enterprises need to get smarter about deploying security layers that prevent data leakage. Fortunately, the tools are available today to help confidential data holders keep information private and secure. We have the technology; we just have to deploy it.

Whether it’s Anthem customers, or the many of us who are now or soon will be in the future using technology to improve our health and wellness, we can expect and must demand that the companies we work with follow best practices and do everything possible to thwart the designs of attackers who desperately want to use our data for their own sinister gains.