Lessons Learned from Anthem Data Breach

It’s being called the largest data-breach disclosure by a health care company ever.

As many as 80 million customers and the company’s employees have had their employment data, addresses, Social Security numbers, and birth dates stolen. According to news reports, the parent company of Blue Cross Blue Shield of Georgia, Anthem Inc., has already been sued over the breach.

What’s more, thieves are now trying to scam the victims further via e-mail and by telephone, claiming to be Anthem and asking victims to provide additional information either over the phone or by clicking on bogus links in e-mails.

Following the revelation Feb. 5, 2015, of the massive data breach at Anthem, the country’s second-largest health insurer, security experts contacted by the Society for Human Resource Management (SHRM) say this breach should prompt HR professionals tasked with securing personal health information to seek tougher security measures—especially for data at rest.

Reached via e-mail Monday, Feb. 9, 2015, Anthem’s Public Relations Director Gene Rodriguez told SHRM Online that “Anthem’s database was accessed after logon information for database administrators had been compromised. Because an administrator’s credentials were compromised, additional encryption would not have thwarted the attack.” Rodriguez added that the company’s communications department “has worked very closely with Anthem HR to effectively inform its own associates of the cyberattack and subsequent scam e-mails. Not only did Anthem issue a press release to inform those impacted of potential scams that have popped up, but Anthem sent internal communications warning of the phishing e-mails,” Rodriquez said.

In a news release about the breach, the insurer said that the hackers “gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/Social Security numbers, street addresses, e-mail addresses and employment information, including income data.

“Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation,” the release stated. The company is also working with a cybersecurity firm “to evaluate our systems and identify solutions based on the evolving landscape.”

Diligence Required by HR over Breaches

Several security experts reached by SHRM Online Monday said that while breaches of this nature are increasing and may be unavoidable, the extent of the Anthem breach was unnecessary given the many ways technology can be deployed to lessen a breach’s impact. The Anthem breach may have been the work of Chinese hackers and may have actually began in April 2014.

“This is a wake-up call for companies who need to stop relying solely on what the information security industry refers to as ‘knowledge-based authentication’: things people know—and can be stolen—such as their password,” said Ryan Wilk, director, customer success, NuData Security, a software development company. “The majority of the Internet relies on only an e-mail and password in order for a user to login to one of their online accounts for banking or shopping.”

That has to stop, experts say.

In addition to two-factor or two-step authentication—which uses a separate rotating set of numbers from a security key supplied by an app or another device, “most secure firms have begun to additionally use ‘behavioral biometrics’ to protect their users from fraud,” Wilk said. “Behavioral biometrics understands users’ unique behaviors, allowing companies to distinguish between the real user and an imposter. Companies using this stop thousands of fraud attempts each month that previously were undiscovered,” Wilk said.

“The fact that Anthem didn’t encrypt their data at rest and only in transit is concerning in and of itself,” said Malte Pollmann, CEO of Utimaco, which makes hardware-based security solutions. “But the critical element of this breach and any other breach is that any data, both encrypted and not, will at certain points in any normal data processing be visible and accessible. The one critical element to contain the impact of a breach lies in the manner with which the key to the encrypted data is stored and managed,” Pollmann said.

Critics say the health care industry has been slow in keeping such personal information secure but that has to change—especially for an industry that keeps such vulnerable information and because HR departments are tasked by law to keep such information safe.

Industry Slow to Protect Data

“The health care industry is notoriously slow in embracing innovation in security,” said Asaf Cidon, CEO of cloud security company Sookasa, in an interview with SHRM. “Reliance on outmoded systems and inconveniencing employees—who are bound to find workarounds despite what IT recommends—is putting data at risk,” he said. “What’s more, it strikes me that health care providers are so focused on checking the box for HIPAA [Health Insurance Portability and Accountability Act of 1996] compliance that they aren’t concerned enough about real, robust security—after all, there is a difference between compliance and security.

“And as the FBI noted in a warning last year, health care companies are increasingly going to be targets for hackers. Rather than accept this inevitability, it’s time that they implement real defenses,” Cidon said.

From biometrics and two-factor authentication to secure military radio frequency (RF) wireless technologies, there are myriad ways to protect data at rest, experts say.

“HR departments and HR IT professionals need to recognize that the Internet is under siege with criminals and nation-states working to access … data,” Robert Twitchell, an expert on Department of Defense cyber warfare, told SHRM Online.

“To counter these threats and ensure that breaches like this don’t occur again, HR needs to recognize the value of the data it holds and the reasons why it’s valuable to the attacker. They then need to protect … data-at-rest and data-in-motion. They should consider examining and deploying techniques traditionally used to secure military RF communications: techniques that augment encryption capabilities and add variability to the process to raise the difficulties and costs associated with collecting such data. Make it expensive enough and difficult enough and the hacker will find a different target,” Twitchell said.

Additional Steps

There are several additional steps HRIT professionals can undertake to “minimize the

chances of a breach like what happened at Anthem,” said Joseph Steinberg, an information security expert who has worked on data security for more than 100 hospitals. Steinberg is CEO of Green Armor Solutions.

Those steps include:

• Encrypting all sensitive data on all computers and mobile devices. “If you are not sure if something is sensitive, it probably is,” he said. “Criminals know how to utilize information to commit identity theft or steal a business’s customers. All sensitive data not in use should remain encrypted. For example, he said, there is encryption built into the pro versions of Windows—it’s just a matter of turning it on.
• Giving people access to only the data that they need to do their jobs. “Such a policy means that in many cases if someone’s account is breached, only a limited subset of data will leak.”
• Using Internet security software on computers and mobile devices. Otherwise, “there is a lot of sensitive information that can be stolen pretty easily,” Steinberg said, adding that tech security companies Symantec and Lookout provide security packages for smartphones and tablets.
• When using social media, make sure not to post anything that will leak sensitive information about your company. “Tools like www.SecureMySocial.com can warn you if you (or any of your employees) post something that you should not. This can have other HR benefits as well,” Steinberg said.
• Being skeptical. “If anyone ever calls you from your bank, a supplier, a partner firm, etc., to speak about your account, do not speak with them,” he said. Anthem advised its customers and employees that it would contact them about the cyberattack via mail delivered by the U.S. Postal Service with specific information on how to enroll in credit monitoring. Affected individuals will also receive free credit monitoring and identification protection services, the company stated.
• Having a security audit conducted by a professional. “These need not be very expensive, especially for smaller businesses with limited numbers of computers, and the findings can be invaluable in preventing breaches,” Steinberg said. “If you would not use a surgeon or lawyer with just a few years of experience, you should not risk your organization on security amateurs. Experience counts.”

Anthem has set up a website, www.anthemfacts.com, to address concerns.

Aliah D. Wright is an online editor/manager for SHRM.