Anthem Breach Puts Data Security in the Spotlight, Again

But will the massive data breach really signal that business as usual is over when it comes to healthcare data security?

That sound you hear is the lingering sound of last week's breach of 80 million member and employee records from Anthem sucking all the oxygen out of the healthcare IT conversation.

Anthem faces a minimum of $100 to $200 million in costs to fix the harm done by unknown criminal hackers who managed to exfiltrate names, social security numbers, and income data of customers and employees.

That financial liability could go much higher. USA Today reports that attorneys have filed lawsuits in four states: Indiana, California, Alabama and Georgia. Others are certain to follow.

But will the breach really signal that business as usual is over where it comes to healthcare data security? Less than two months ago, I highlighted the cautionary end-of-year advice of a variety of security firms, all hopeful that past breaches at Sony, Home Depot, Target, and Community Health Systems served as healthcare's wake-up call. But not so fast, apparently.

Anthem may have had appropriate safeguards in place, and if so, will not face civil penalties. But it is far from clear that appropriate safeguards were in place. Consider the following:

• More than 90% of data breaches in the first half of 2014 were preventable, according to the Online Trust Alliance.
• Anthem (then Wellpoint) was fined $1.7 million by HHS in a 2010 breach which affected 612,000 people.
• One report offers certain evidence that the Anthem breach began as long ago as April 2014. This suggests that Anthem was afflicted by an advanced persistent threat (APT). More on that in a second.

As in December, security experts quickly jumped in last week to offer a range of explanations and speculation for the press to digest. One such firm, Cigital, has admirers well beyond healthcare, having consulted with financial institutions, insurance companies, and other IT heavy hitters.

Last Friday, I asked internal CTO John Steven if he thought the Anthem breach had the earmarks of an APT. His answer: Maybe, but it may be more complicated than that.

More than 80% of the attacks organizations face are at the application level, which means the attacker has not only mapped the target company's network, but is looking at specific applications and is attacking those applications directly, using the way the application is built.

"Many of these applications were never written with security hygiene in mind, so they're able to be penetrated without [APT] kind of persistence" or the backing of a rogue nation-state that APT often can require, Steven says.

Cigital itself retains Anthem as its health insurer. "Given the complexity of operations in the healthcare industry and the variety of regulations, which focus heavily on identity and access management, an enormous amount of resources are spent on security architecture," Steven says.

"As a result, successful attacks on healthcare organizations are even more surprising than attacks on retail or other industries.

"Organizations should focus more time and attention on hardening key systems rather than blanketing their entire portfolio with commodity assessments. Counter the threat with the correct weapon: SaaS scans aren't ever going to stop concerted attackers."

A lot of initial reaction focused on the possibility that Anthem did not encrypt its data, trusting it to be protected behind a firewall. But access control is the game these days. Steven notes that an encrypted laptop is prey to wholesale data exfiltration if the attacker is able to guess the password of the laptop.

Some media accounts suggest some Anthem employees were phished—fed bogus emails that sent them to Web pages that delivered malicious payloads to the employees' computers. These payloads very well could have included key loggers that captured logins and passwords. Once in, it's as if the attackers had logged into that encrypted laptop, and at that point, had widespread access privileges to grab and exfiltrate entire databases.

Even if Anthem didn't have these problems, too many companies have yet to institute fine-grained, role-based access controls that limit the damage a key logger can do. For example, such access controls could restrict lower-level employees' ability to see medical records they are not entitled to or expected to see.

On the provider side, team-based care makes it difficult for employee access to be so restricted, says George McCulloch, executive vice president of membership and professional development at CHIME. McCulloch, former deputy CIO at Vanderbilt, is also CHIME's point staff person during the formation of the Association for Executives in Healthcare Information Security (AEHIS), which launched last year.

"We're seeing a lot of breaches where people inside, either people that are not happy at their jobs, they disclose information, or, in a lot of cases, [launch] spear phishing attacks," McCulloch says. "It's a very challenging environment. There are lots of threats. There are a lot of holes to plug. And it's a question of people, process, and technology."

As McCulloch talks to CISOs around the U.S., a common theme he's finding is that they lack adequate funding to acquire security technology and the qualified people to manage that technology.

"The other big component is education of employees about things they should and shouldn't do, particularly if it's a phishing attack or something from the outside," he says.

With some CIOs—including Anthem's, according to one report I read—lacking deep security experience, more health systems are hiring CISOs to oversee implementation of the finer-grained access controls needed to protect against sophisticated attacks, yet still permit free flow of information between authorized users and patients.

Ultimately, a combination of algorithms and alert security personnel will be more closely looking for unusual data access patterns—weak signals that indicate the beginning of an APT and a prolonged breach, McCulloch says.

The Anthem breach also comes at the very moment when healthcare appears to be about to embrace the cloud as other industries have done. While a company of Anthem's resources will probably continue to lift its own weight when it comes to security, many smaller hospitals may be less able to harden their data centers than existing cloud-based service providers.

After all, without security, cloud computing is a dubious value proposition. So I don't expect this particular breach to derail the move to the cloud, at least not just yet.

Moving forward, expect to see AEHIS, HITRUST and security consultants unleash a fresh wave of educational Webinars, in-person trainings, and peer-to-peer networking opportunities to share and spread best practices in secure computing.

On the software development side, this breach, or the next one, or the one after that, will finally bring the kind of secure coding mindset to healthcare IT that Microsoft learned the hard way more than a decade ago.

It just may be that grander technology ambitions of healthcare get put on hold for a similar period of time, until the industry gets this right.