When I initially read the Joseph Swedish letter taking responsibility for the Anthem information security breach, I found it refreshing. Upon finishing the message, I thought he should be fired. I mean. In a similar situation, who shouldn’t?
More to the point, the third paragraph really got me:
“Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Really? Didn’t we hear a similar message in 2010? When Anthem, known as WellPoint at the time, exposed over 600,000 records and was fined $1.7 million under HIPPA HITECH. I was under the impression they have been working around the clock since then.
Seriously, here’s the irony. Although shortly after Anthem reported the 2010 security breach, I changed providers. Regardless, my personal information was exposed in the most recent breach. In this case, severing my ties increased my vulnerability. And now for the really bitter pill to swallow, pun intended. Generally speaking that’s how institutions manage archived customer records. Particularly in healthcare IT, this statement holds true.
Healthcare IT Vulnerability Exposed
Let’s hope the most recent Anthem breach serves as an alarm for healthcare IT. To put the breach into perspective, let’s compare. Over the last decade, major health care breaches affected 40 million people. With Anthem, 80 million people are affected or twice the number of all previously reported incidents combined.
The Anthem security breach implications are especially serious for Healthcare IT, because of the information value. Unlike Target and the retail breaches over the last year, the compromised Anthem information included not only names, postal addresses, phone numbers and email, but also Social Security numbers, birthdates, employment details, and incomes.
Perhaps more so than other industries, healthcare IT operations are at a critical impasse. Often relying on legacy systems, healthcare IT organizations find their infrastructures relatively inadequate compared to other sectors. Generally speaking, health care organizations are considered "softer" targets compared to their counterparts in retail, banking, and transportation. Adding to the problem, health care organizations are experiencing shrinking technical staff making them more vulnerable than ever. Further complicating security, according to HIPAA HITECH law, health care companies are also liable for data breaches occurring in their vendors’ environments. That’s a hard pill to swallow.
Decoupling the Anthem Security Breach
Immediately after the security breach, Anthem came under criticism for failing to encrypt the compromised data. However, encryption would not have stopped the breach. When encryption credentials and keys are compromised, there’s no longer a safeguard. Cyber criminals with compromised administrator credentials, likely have access to encryption keys too.
When you consider the duration of time the cyber criminals spent inside of Anthem’s network, they had time to do pretty much whatever they wanted. Although Anthem states the security breach occurred beginning in December 2014, Brian Krebs points to cyber forensics indicating the breach started in April. Considering 80 million records were taken, the earlier date seems reasonable.
To prevent breaches companies must strictly control employee access to sensitive data. The security issue in many breaches relates to properly implementing and sustaining data access controls. Identity and access management puts safeguards in place to prevent compromised administrator credentials from taking hold for very long. At the very least, consider if Anthem required password resets to critical databases every thirty days. The perpetrator would be shut off within a month. The breach could have impacted 8 million customers and cost one eighth as much.
Identity Management Prevents an Anthem Security Breach
At a fraction of the estimated $100 million dollar clean up cost, Anthem could have deployed better identity and access management controls. With an identity management solution, their governance over database administrators, privileged accounts and users would make it more difficult for cyber criminals to operate. It would also shorten the period of time for breaches to spread.
An identity management system offers security controls that would have mitigated the impact to Anthem. These include the ability to:
- Enforce password expiration controls over administrators
- Apply two-factor authentication using tokens, SMS or other solutions
- Deactivate terminated accounts through automated controls
- Integrate IAM activities with a SIEM solution to allow better monitoring and response capabilities
- Automate transfers to prevent "grandfathering" access
- Automate approval workflows and routine governance
- Automate group membership and provisioning
- Receive alerts to unusual database activity
- Identify out-of-norm privileges
Instead of pondering the hypothetical, I can say with certainty Anthem won’t be the last. In all likelihood, other healthcare companies are already compromised and they just don’t know it. Similar to last year’s retail breaches, once one institution reveals it’s been compromised, upon investigation others in the same industry realize they were too.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.
