After Anthem, Diagnosing the Health of Data Security

Hackers, he pointed out, can launch hundreds of attacks on a company, and only one has to penetrate the network for them to succeed. Companies, on the other hand, have to defend against those incursions, and failing to stop just one can be devastating.

The Anthem attack certainly has inflicted enough damage. Although stealing a name or street address might not be so scary for customers, taking Social Security numbers is a different story. “The ability to leverage Social Security numbers in a criminal way is much higher than, let's just say, a credit card number,” said Clay.

And if tens of millions of Americans did in fact have their Social Security numbers stolen, they may have to try and change their numbers, certainly not an easy process.

Encryption

Another aspect of the hack pointed out by the Wall Street Journal and other outlets is that Anthem did not encrypt the stolen customer data. See , http://on.wsj.com/17Nl1p6. Encryption would have made it more difficult for the criminals to understand and leverage the stolen data. So many might wonder: why not just encrypt everything in a network that could be sensitive?

The answer is that unencrypted data isn't just more appealing to hackers, it's also a lot easier for employees to use day-to-day. “The challenge that organizations have today is how much security you have to put around things and still be able to run a business and be productive,” Clay noted. “If everything had been encrypted and they had to go through a major process to get access to that data, and it's cumbersome, it defeats the purpose.” Companies like Anthem have to figure out what is a healthy balance between security and usability.

Regardless of encryption, it's important to note that whoever hacked Anthem did it through accessing an administrator's credentials, perhaps obtained in some kind of phishing attack, where hackers pretend to be a different person or company in order to pilfer logins and passwords. Clay said that when hackers get into systems using employees' credentials, this is often how it's done, so companies need to be wary ' and prepared. It's important to train employees to be aware of what sorts of e-mails or messages might be phishing, and how to be careful about what they click on.

Clay added that companies are catching on by increasingly investing in systems that track movement around networks. This allows them to identify and isolate abnormal or suspicious behaviors on the network, so that even when a hacker logs in as an “insider,” the company still has a chance to catch the thief. “The hackers today will get in,” he said, “but it's a question of how you can minimize their ability to move around your network and get to what they want to get to.”

Anthem is struggling with both the internal and public fallout of the data theft, but the company did catch a lucky break ' at least from a legal perspective ' in that medical data was reportedly not taken from its databases. Stealing personal medical information would have made the company liable under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which require certain notifications and impose potential liability when protected health information is breached.

And the feds are already keeping an eye on companies in the health care sector. Last spring, the FBI issued a warning that these companies were vulnerable to cyberattacks because of the highly sensitive nature of the data they store, and the fact that their defense systems might be less powerful than those in other sectors. See, “Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks,” Reuters.com. Anthem is the first big example of the FBI's predictions coming true, and the long-term effects of the break-in will be playing out in the weeks and months ahead.

Rebekah Mintzer writes for Corporate Counsel, an ALM sibling of e-Commerce Law & Strategy.

Companies have begun to experience attempts to breach their databases on a frequent basis, and have had to become hypervigilant about protecting their networks against hackers. But once every couple of months, the bad guys get through the defense systems in a big and highly publicized way, showcasing data disaster for company and customers. This was the case in early February when Anthem Inc., the second-largest health insurance company in the U.S., announced it had been hacked, and up to 80 million current and former customers may be affected.

According to a letter by Joseph Swedish, Anthem's president and CEO, the attackers obtained personal information such as names, birthdays, Social Security numbers, street and email addresses, and employment information. Although no one knows who committed the cybercrime at present (It has been reported that the Chinese government is suspected ' see, “Chinese State-Sponsored Hackers Suspected in Anthem Attack,” Bloomberg.com), one thing is for sure, the damage is significant and the potential reach is staggering. And companies and their counsel should remember that if a hack such as this can happen to one of the country's biggest health insurers, it can happen to them too.

Jon Clay, senior manager of global threat communications at IT security company Trend Micro Inc., told e-Commerce Law & Strategy's ALM sibling CorpCounsel.com that even the most capable companies can be breached. “It's not like a mom-and-pop shop,” he said of Anthem. “They are very sophisticated, I'm sure. But the challenge we have is that the criminals are also very sophisticated, and they have a lot of time on their hands.”

Hackers, he pointed out, can launch hundreds of attacks on a company, and only one has to penetrate the network for them to succeed. Companies, on the other hand, have to defend against those incursions, and failing to stop just one can be devastating.

The Anthem attack certainly has inflicted enough damage. Although stealing a name or street address might not be so scary for customers, taking Social Security numbers is a different story. “The ability to leverage Social Security numbers in a criminal way is much higher than, let's just say, a credit card number,” said Clay.

And if tens of millions of Americans did in fact have their Social Security numbers stolen, they may have to try and change their numbers, certainly not an easy process.

Encryption

Another aspect of the hack pointed out by the Wall Street Journal and other outlets is that Anthem did not encrypt the stolen customer data. See , http://on.wsj.com/17Nl1p6. Encryption would have made it more difficult for the criminals to understand and leverage the stolen data. So many might wonder: why not just encrypt everything in a network that could be sensitive?

The answer is that unencrypted data isn't just more appealing to hackers, it's also a lot easier for employees to use day-to-day. “The challenge that organizations have today is how much security you have to put around things and still be able to run a business and be productive,” Clay noted. “If everything had been encrypted and they had to go through a major process to get access to that data, and it's cumbersome, it defeats the purpose.” Companies like Anthem have to figure out what is a healthy balance between security and usability.

Regardless of encryption, it's important to note that whoever hacked Anthem did it through accessing an administrator's credentials, perhaps obtained in some kind of phishing attack, where hackers pretend to be a different person or company in order to pilfer logins and passwords. Clay said that when hackers get into systems using employees' credentials, this is often how it's done, so companies need to be wary ' and prepared. It's important to train employees to be aware of what sorts of e-mails or messages might be phishing, and how to be careful about what they click on.

Clay added that companies are catching on by increasingly investing in systems that track movement around networks. This allows them to identify and isolate abnormal or suspicious behaviors on the network, so that even when a hacker logs in as an “insider,” the company still has a chance to catch the thief. “The hackers today will get in,” he said, “but it's a question of how you can minimize their ability to move around your network and get to what they want to get to.”

Anthem is struggling with both the internal and public fallout of the data theft, but the company did catch a lucky break ' at least from a legal perspective ' in that medical data was reportedly not taken from its databases. Stealing personal medical information would have made the company liable under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which require certain notifications and impose potential liability when protected health information is breached.

And the feds are already keeping an eye on companies in the health care sector. Last spring, the FBI issued a warning that these companies were vulnerable to cyberattacks because of the highly sensitive nature of the data they store, and the fact that their defense systems might be less powerful than those in other sectors. See, “Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks,” Reuters.com. Anthem is the first big example of the FBI's predictions coming true, and the long-term effects of the break-in will be playing out in the weeks and months ahead.

Rebekah Mintzer writes for Corporate Counsel, an ALM sibling of e-Commerce Law & Strategy.