Anthem failed to encrypt data prior to cyber-attack

Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information.

Anthem is the nation’s second-largest health insurer, operating Blue Cross and Blue Shield plans in 14 states. And it was revealed this week that the hackers have stolen millions of records on customers and employees at Anthem. The hackers obtained the names, birthdays, addresses, and social security numbers, though there is no sign that they accessed any medical records.

An Anthem spokeswoman said that the company, like other health insurers, only encrypts customer data when it's transferred in or out of its database, but uses "other measures, including elevated user credentials, to limit access to the data when it is residing in a database." She adds that the government and employers require insurers to use social security numbers as unique identifiers for their customers.

Federal law says health insurers must "address" data encryption in their security protocol, but it's not mandated. For some companies, it comes down to a choice between added security and extra cost, though it's not clear whether encryption alone could have thwarted the attack on Anthem, since it was carried out with stolen employee credentials. The issue isn't exclusive to the healthcare industry, either; Sony Pictures didn't encrypt its data prior to a major cyber attack late last year.
The cyber attack on Anthem Inc. underscores the need for companies to review incident response plans and other measures to ensure they’re ready for the worst, says Patrick Nielsen, a senior security researcher with Kaspersky Lab. “Companies will learn the hard way to take security seriously or do it proactively,” he said.

For highly regulated industries, compliance alone may not be enough. Regulations are “very helpful,” Mr. Nielsen said, “but in a certain way they give a sort of false sense of security.” Instead of checking the compliance box and calling it a day, CIOs can use the Anthem breach as yet another opportunity to increase focus on security at every level of their organizations. To address this, guidance will likely need to come from the CEO, board of directors and others at the top of the corporate totem pole. “It’s definitely one area where there’s a lot to be gained by saying ‘what are all the things we can do to strengthen security here,’ even if they don’t all apply to relevant legislation.”

Think about data retention Nielsen noted that Anthem’s hacked databases included information about some former customers, and wondered why that data was still around. “Once they’re former members, it’s probably not necessary to keep that information around,” he said.

Forbes:   The Verge:  WSJ

 

 

« Did the White House Use Drone Killing Technology?
UK Police: 'Innocent people' on unregulated photo database »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

bwtech@UMBC

bwtech@UMBC

The bwtech@UMBC Cyber Incubator is an innovative business incubation program that delivers business and technical support to start-up and early-stage cybersecurity/IT products and services companies.

Ignyte Assurance Platform

Ignyte Assurance Platform

Ignyte Assurance Platform™ is a leader in collaborative security and integrated GRC solutions for global corporations in Healthcare, Defense, and Technology.

ResponSight

ResponSight

ResponSight is a data science company focusing specifically on the challenge of measuring risk and identifying changes in enterprise/corporate networks using behavioural analytics.

th4ts3cur1ty.company

th4ts3cur1ty.company

th4ts3cur1ty.company specialize in delivering intelligence lead adversary emulation purple teaming & the bespoke building of Security Operation Centers.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

SOOHO

SOOHO

SOOHO helps to detect security vulnerabilities earlier. Our blockchain security platform audits from smart contracts to on-chain transactions.

6point6

6point6

6point6 is a technology consultancy with strong expertise in digital transformation, emerging technology and cyber security.

OAS Chain

OAS Chain

OAS Blockchain Renaissance Project presents three platforms that address the major challenges of public blockchain, private blockchain, and IoT security.

Depth Security

Depth Security

Depth Security assessment services provide organizations with real-world visibility into threats facing their infrastructure and applications.

Jitsuin

Jitsuin

Jitsuin enables developers with tools and services to build verifiable digital trust between organizations.

NetBlocks

NetBlocks

NetBlocks is a global internet monitor working at the intersection of digital rights, cyber-security and internet governance.

Halogen Group

Halogen Group

Halogen Group is the leading Security Solutions Provider in West Africa. Services encompass Physical Security, Electronic Security, Virtual & Cyber Security, Risk Assessments and Training.

VulnCheck

VulnCheck

VulnCheck helps organizations outpace adversaries with vulnerability intelligence that predicts avenues of attack with speed and accuracy.

Intel Ignite

Intel Ignite

Intel Ignite is an internationally renowned acceleration program for early-stage deep tech startups.

Silverse

Silverse

At Silverse, we specialize in building a comprehensive cybersecurity journey, anchored by our extensive experience, industry expertise, and an ecosystem of trusted partners.

Qevlar AI

Qevlar AI

Qevlar AI empowers SOC teams, to eliminate redundant tasks and refocus on what truly matters - making the most of every employee within the SecOps team.