Not a Member? Get access to HR news and resources that you can trust.
Change can be scary, but deploying new HR software doesn't have to be.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
We don’t just visit a city, we take it over. Join the HR community in NOLA -- June 18-21, 2017.
Experts say HR should be vigilant about protecting HR data, especially at rest
It’s being called the largest data-breach disclosure by a health care company ever.
As many as 80 million customers and the company’s employees have had their employment data, addresses, Social Security numbers, and birth dates stolen. According to news reports, the parent company of Blue Cross Blue Shield of Georgia, Anthem Inc., has already been sued over the breach.
What’s more, thieves are now trying to scam the victims further via e-mail and by telephone, claiming to be Anthem and asking victims to provide additional information either over the phone or by clicking on bogus links in e-mails.
Following the revelation Feb. 5, 2015, of the massive data breach at Anthem, the country’s second-largest health insurer, security experts contacted by the Society for Human Resource Management (SHRM) say this breach should prompt HR professionals tasked with securing personal health information to seek tougher security measures—especially for data at rest.
Reached via e-mail Monday, Feb. 9, 2015, Anthem’s Public Relations Director Gene Rodriguez told
SHRM Online that “Anthem’s database was accessed after logon information for database administrators had been compromised. Because an administrator’s credentials were compromised, additional encryption would not have thwarted the attack.” Rodriguez added that the company’s communications department “has worked very closely with Anthem HR to effectively inform its own associates of the cyberattack and subsequent scam e-mails. Not only did Anthem issue a press release to inform those impacted of potential scams that have popped up, but Anthem sent internal communications warning of the phishing e-mails,” Rodriquez said.
In a news release about the breach, the insurer said that the hackers “gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/Social Security numbers, street addresses, e-mail addresses and employment information, including income data.
“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” the release stated. The company is also working with a cybersecurity firm “to evaluate our systems and identify solutions based on the evolving landscape.”
Diligence Required by HR over Breaches
Several security experts reached by
SHRM Online Monday said that while breaches of this nature are increasing and may be unavoidable, the extent of the Anthem breach was unnecessary given the many ways technology can be deployed to lessen a breach’s impact. The Anthem breach may have been the work of Chinese hackers and may have actually began in April 2014.
“This is a wake-up call for companies who need to stop relying solely on what the information security industry refers to as ‘knowledge-based authentication’: things people know—and can be stolen—such as their password,” said Ryan Wilk, director, customer success, NuData Security, a software development company. “The majority of the Internet relies on only an e-mail and password in order for a user to login to one of their online accounts for banking or shopping.”
That has to stop, experts say.
to two-factor or two-step authentication—which uses a separate rotating set of numbers from a security key supplied by an app or another device, “most secure firms have begun to additionally use ‘behavioral biometrics’ to protect their users from fraud,” Wilk said. “Behavioral biometrics understands users’ unique behaviors, allowing companies to distinguish between the real user and an imposter. Companies using this stop thousands of fraud attempts each month that previously were undiscovered,” Wilk said.
“The fact that Anthem didn’t encrypt their data at rest and only in transit is concerning in and of itself,” said
Malte Pollmann, CEO of Utimaco, which makes hardware-based security solutions. “But the critical element of this breach and any other breach is that any data, both encrypted and not, will at certain points in any normal data processing be visible and accessible. The one critical element to contain the impact of a breach lies in the manner with which the key to the encrypted data is stored and managed,” Pollmann said.
Critics say the health care industry has been slow in keeping such personal information secure but that has to change—especially for an industry that keeps such vulnerable information and because
HR departments are tasked by law to keep such information safe.
Industry Slow to Protect Data
“The health care industry is notoriously slow in embracing innovation in security,” said Asaf Cidon, CEO of cloud security company Sookasa, in an interview with SHRM. “Reliance on outmoded systems and inconveniencing employees—who are bound to find workarounds despite what IT recommends—is putting data at risk,” he said. “What’s more, it strikes me that health care providers are so focused on checking the box for HIPAA [Health Insurance Portability and Accountability Act of 1996] compliance that they aren’t concerned enough about real, robust security—after all, there is a difference between compliance and security.
“And as the FBI noted in a warning last year, health care companies are increasingly going to be targets for hackers. Rather than accept this inevitability, it’s time that they implement real defenses,” Cidon said.
From biometrics and two-factor authentication to secure military radio frequency (RF) wireless technologies, there are myriad ways to protect data at rest, experts say.
“HR departments and HR IT professionals need to recognize that the Internet is under siege with criminals and nation-states working to access … data,” Robert Twitchell, an expert on Department of Defense cyber warfare, told
“To counter these threats and ensure that breaches like this don’t occur again, HR needs to recognize the value of the data it holds and the reasons why it’s valuable to the attacker. They then need to protect … data-at-rest and data-in-motion. They should consider examining and deploying techniques traditionally used to secure military RF communications: techniques that augment encryption capabilities and add variability to the process to raise the difficulties and costs associated with collecting such data. Make it expensive enough and difficult enough and the hacker will find a different target,” Twitchell said.
There are several additional steps HRIT professionals can undertake to “minimize the
chances of a breach like what happened at Anthem,” said Joseph Steinberg, an information security expert who has worked on data security for more than 100 hospitals. Steinberg is
CEO of Green Armor Solutions.
Those steps include:
Anthem has set up a website,
www.anthemfacts.com, to address concerns.
Aliah D. Wright is an online editor/manager for SHRM.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
SHRM Annual Conference & Exposition
SHRM’s HR Vendor Directory contains over 3,200 companies