Blog LBMC

Print Divider Print Divider Branding
 

The Anthem Breach: Another Wake Up Call

02/10/2015  |  By: Thomas Lewis, CISSP, CISA, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Target, Sony, Home Depot, J.P. Morgan and Staples. Big companies are big targets for data thieves, and now they’ve struck again. Last week, it was announced that an Anthem database was hacked, compromising a possible 80 million records. The subsequent investigation has revealed that the breach may have begun as far back as December 2014.

In 2014, according to Healthcare IT News, healthcare has surpassed retail as the sector with the highest number of reported breaches. Not only is patient data at risk; intellectual property concerning drug discovery and medical devices in development are attractive to would-be data thieves. It should come as no surprise that it was a healthcare giant that was targeted in this most recent attack.

We are extremely concerned about this intrusion and the current trends towards healthcare data. This represents yet another large-scale attack that potentially puts millions of people’s identities—and possibly their finances—at risk.

Data Theft: A Big Business

Cyber theft is the new breed of organized crime, comprised of large, International rings that profit from this illicit trade. The black market for personal information is a thriving one. And the data stolen from Anthem is evergreen: Names, birthdates, Social Security numbers, and income. Sure, a breached company can offer free monitoring services for a year, which is helpful when your credit card has been stolen. But credit cards can be canceled and numbers can be changed. Names, birthdates and Social Security numbers can’t. Thieves can simply lay low for twelve months, and reemerge in month thirteen when the coast is clear.

Just imagine how useful it would be to have annual income for each of the members whose records have been lifted. Makes it a lot easier to know whose identity you want to steal, doesn’t it? A simple sort by income can easily help the hackers target their most profitable victims. If you are ‘chosen,’ quite a bit of damage can be done before you’re even aware that someone is out there posing as you: running up a new credit card bill, taking out a major loan in your name, or forging checks on your account.

To date, it appears that the data breached at Anthem does not include electronic protected health information (ePHI). This is good news, as patient data is a hot commodity on the black market. But cyber thieves don’t need ePHI to commit medical fraud. All it takes is your name, social security number and date of birth to obtain medical care or purchase prescriptions. And should the wrong information be posted to your medical records, the results could be catastrophic.

The endless possibilities for personal ruin here are daunting, and as the threat environment becomes more ominous, security controls need to be adjusted to reflect the new world order.

What We Can Learn From Anthem

To be clear, we want to applaud Anthem for their appropriate response. Upon discovering the breach, they initiated outreach to the FBI. (We’ve seen cases where the company only learns they’ve been breached when the FBI or another outside entity notifies them.) Anthem President and CEO Joseph Swedish released a public statement, and the company immediately launched a website for members to go to for information.

What the public may not appreciate is how the breach was discovered, and what it says about Anthem. Apparently, a suspicious query to the database alerted someone in the IT department. Frighteningly, this type of anomaly often goes undetected in many healthcare entities, and the company’s swift response indicates that Anthem takes monitoring seriously, a commitment that many don’t have.

No one can ensure that their data is 100% safe. Anthem is a good example of this: they likely have a highly sophisticated control environment, but they still fell victim to a serious breach. That said, if the industry at large would tighten controls, monitor systems and draw up comprehensive response plans, we can all let the thieves know that we mean business, too.

Find out more about protecting your business from these types of data breaches in our free guide, Breach.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

As featured on Nashville Medical News.