Anthem failed to encrypt data prior to cyber-attack

Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information.

Anthem is the nation’s second-largest health insurer, operating Blue Cross and Blue Shield plans in 14 states. And it was revealed this week that the hackers have stolen millions of records on customers and employees at Anthem. The hackers obtained the names, birthdays, addresses, and social security numbers, though there is no sign that they accessed any medical records.

An Anthem spokeswoman said that the company, like other health insurers, only encrypts customer data when it's transferred in or out of its database, but uses "other measures, including elevated user credentials, to limit access to the data when it is residing in a database." She adds that the government and employers require insurers to use social security numbers as unique identifiers for their customers.

Federal law says health insurers must "address" data encryption in their security protocol, but it's not mandated. For some companies, it comes down to a choice between added security and extra cost, though it's not clear whether encryption alone could have thwarted the attack on Anthem, since it was carried out with stolen employee credentials. The issue isn't exclusive to the healthcare industry, either; Sony Pictures didn't encrypt its data prior to a major cyber attack late last year.
The cyber attack on Anthem Inc. underscores the need for companies to review incident response plans and other measures to ensure they’re ready for the worst, says Patrick Nielsen, a senior security researcher with Kaspersky Lab. “Companies will learn the hard way to take security seriously or do it proactively,” he said.

For highly regulated industries, compliance alone may not be enough. Regulations are “very helpful,” Mr. Nielsen said, “but in a certain way they give a sort of false sense of security.” Instead of checking the compliance box and calling it a day, CIOs can use the Anthem breach as yet another opportunity to increase focus on security at every level of their organizations. To address this, guidance will likely need to come from the CEO, board of directors and others at the top of the corporate totem pole. “It’s definitely one area where there’s a lot to be gained by saying ‘what are all the things we can do to strengthen security here,’ even if they don’t all apply to relevant legislation.”

Think about data retention Nielsen noted that Anthem’s hacked databases included information about some former customers, and wondered why that data was still around. “Once they’re former members, it’s probably not necessary to keep that information around,” he said.

Forbes:   The Verge:  WSJ

 

 

« Did the White House Use Drone Killing Technology?
UK Police: 'Innocent people' on unregulated photo database »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Future Foundation (CFF)

Cyber Future Foundation (CFF)

CFF was established to create a cyberspace where digital commerce and innovation can thrive based on trust and respect to individual privacy.

BlackBerry Cybersecurity

BlackBerry Cybersecurity

Blackberry provides intelligent security software and services to enterprises and governments around the world.

Fox-IT

Fox-IT

Fox-IT prevents, solves and mitigates the most serious cyber threats with smart solutions for governmental bodies, defense, law enforcement, critical infrastructure, banking and large enterprises.

ThreatBook

ThreatBook

ThreatBook is dedicated to providing real-time, accurate and actionable threat intelligence to block, detect and prevent attacks.

Redshift Consulting

Redshift Consulting

Redshift is an information management and information security consulting company offering a full range of services from infrastructure design to security assessments and network monitoring.

Infosec (T)

Infosec (T)

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

Pentagon Group

Pentagon Group

Pentagon Group is a provider of security services in high-risk environments, remote areas and emerging markets in support of land-based, aviation, maritime and cyber operations.

National Cybersecurity Society (NCSS) - USA

National Cybersecurity Society (NCSS) - USA

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

archTIS

archTIS

archTIS specialises in the design and development of products, solutions and services for secure information sharing and collaboration.

AiCULUS

AiCULUS

AiCULUS is a global technology company that specializes in API security and Risk Management products.

Open Data Security (ODS)

Open Data Security (ODS)

Open Data Security is a market leader in the information security sector, offering services to companies, governments and individuals, helping them shield from hackers and cyber attacks.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Romanian Tech Startup Association (ROTSA)

Romanian Tech Startup Association (ROTSA)

Romanian Tech Startups Association is an umbrella organization that aims to promote, support and represent the interests of tech startups in Romania.

SecureLake

SecureLake

SecureLake (formerly Managni) is one of the most trusted US-based IT security and infrastructure companies.

SysGroup

SysGroup

SysGroup is an award-winning managed IT services, cloud hosting, and IT consultancy provider.