Top Four Incident Response Lessons Learned From The Anthem Hack

Written By

Capsicum Group

The magnitude of the Anthem computer network hack is still causing aftershock.  While the breach itself was uncovered in early February, a few weeks later it was determined that the data of millions of children covered by the health insurance giant has also been exposed.  Now, they too will be vulnerable to identity theft.  The numbers associated with this breach are staggering and continue to grow:  approximately eighty million Social Security numbers, addresses, phone numbers, dates of birth, names, employment information and email addresses were stolen. And these types of crises are affecting healthcare and health insurance organizations with increasing frequency.

At the time of the release of this blog post, Anthem has responded to this public relations and privacy ordeal by offering identify theft protection services and free credit monitoring to consumers affected by the incident.  However, ten states (Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island) have complained that Anthem was too slow in notifying consumers that they were, in fact, victims of the data breach.  These states have asked Anthem to reimburse consumers for any losses that took place due to the breach during the time period between the breach itself and the date that Anthem provided access to credit and identity theft safeguards.  Furthermore, Connecticut Senate Democratic leaders have proposed that insurers selling health plans in the state be required to encrypt Social Security numbers and other client information.  This would make Connecticut the second state (after New Jersey) to set encryption standards for health insurers.

Already, Anthem is being bombarded by class action lawsuits related to the breach, and the legal implications and reputational harm will only continue to grow.

While many experts and consumers were shocked to discover that Anthem’s hacked data was not encrypted, the federal mandate for securing health-related personal information (HIPAA) only “encourages” encryption – it is not a requirement. MIT’s Technology Review published an article recently regarding this issue (available here: http://www.technologyreview.com/view/535111/encryption-wouldnt-have-stopped-anthems-data-breach/). The author pointed out that “even if Anthem had used encryption, the data could still have been compromised” because encryption is “just one part of the arsenal that organizations need to deploy to secure sensitive data.”

This security “arsenal” is exactly what every company, organization, firm, and business must reevaluate, update, and prioritize as cybersecurity threats and data breaches relentlessly target all different types of industries and fields. Your computer network’s security is of paramount importance, and security is becoming much more challenging. On that note, here are the top four incident response lessons learned from the Anthem hack:

(1)    Spoofing is a serious threat.

An internationalized domain name (IDN) homographic attack – also known as a spoofing attack – allows a hacker to deceive the computer user about what web site he or she is visiting by exploiting the fact that many different characters look alike (thus a “homographic” attack).  In this case, it was uncovered that the domain names “we11point.com” and “extcitrix.we11point.com” (Citrix is a software tool that allows employees remote access to their employers’ internal networks) – both spoofs of Anthem’s former company name, Wellpoint – were registered to a service in China. The sites were allegedly constructed to “masquerade as legitimate Wellpoint infrastructure” according to security blog Krebs on Security (available here: http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/).

(2)    Security arsenals require implementation of the principle of least privilege.

The principle of least privilege is a data security tactic that requires a company to limit the amount of data to which certain personnel may have access.  Basically – to keep data secure by giving employees access only to what data they need and only when they need it.  While details of how the Anthem breach was executed are still surfacing, it appears that their customer records were disclosed via a stolen Database Administrator Account.  Such Administrator credentials need to stay out of the wrong hands – and utilizing the principle of least privilege could work to reduce the number and frequency of access points, thereby reducing the risk of the wrong person reaching an access point.

(3)    Securely segregating key data or not having it at all resolves breach concerns.

Another proactive security measures is de-identification. De-identification refers to the process of disconnecting a persons’ key data so that it cannot be connected with their personal data records.  Strategies for de-identifying datasets include deleting or concealing personal identifiers (name, social security number, bank account number or private health care identification number) and obscuring quasi-identifiers (gender, zip code, or birth dates). If the data is not there or cannot be associated with an individual’s record, then the security and privacy of the data is secured. Why leave your clients’ information at risk?

(4)    It is more cost-effective to be proactive in your system security rather than responsive.

Investing in proactive security measures is no longer a luxury – it is required. Preventative measures are invaluable. Penetration testing, for example, provides an offensive look at your computer network’s security. During a penetration test, Capsicum specialists emulate an intruder attempting to break into your system. Performing an “ethical hack” with the intent to find vulnerabilities to exploit allows us to pinpoint problem areas on your network.  The most recent Ponemon Institute analysis revealed that the average cost of a data breach in 2014 in the United States was $5.9 million. Even worse, the analysis determined that more customers terminated their relationship with the company that had a data breach in 2014 – and thus lost business costs increased from $3.03 million to $3.2 million.

As the reverberations of the Anthem hack continue to echo for all of its effected customers, the healthcare community is also reeling.  Hackers, cybercriminals, and data thieves are only ramping up their efforts to dig for the gold that exists in healthcare records; the Anthem hack illustrates why providers have no choice but to, in turn, ramp up their security efforts.  Hopefully, other industries will follow suit.