Anthem’s recent data breach reveals some things Anthem did right – and some it did wrong. Other enterprises can learn from its actions.
By Phillip Britt | Posted February 12, 2015
The full fallout from a data breach at Anthem, which affected the records of 80 million current and former customers of the health care insurer, won’t be learned for several months or perhaps even years. Hackers had access to personally identifiable information (PII) including medical identification and Social Security numbers.
But the cyberattack did highlight important lessons for other enterprises that retain customer data:
Notify as Quickly as Possible
“Anthem has been very transparent about the breach,” said Christopher Hines, threat assessment manager for Campbell, Calif.-based Bitglass, a cloud and mobile security firm. “They brought in [threat forensics and cybersecurity firm] FireEye to determine where in the system the breach happened and got the FBI involved right away.”
Hines pointed out that Anthem discovered and announced the early December breach in late January, a much quicker discovery and notification of the hack than happened with earlier breaches of Target and Home Depot. He credited the quicker discovery to improved monitoring, which he recommends for other enterprises.
Timely disclosure of data breaches is usually in the best interest of both the organization that suffered the data breach, and the individuals whose data has been compromised, said Mike Paquette, vice president of security products at Framingham, Mass.-based Prelert. “Anthem deserves credit for quickly notifying law enforcement and the public about a breach they reportedly discovered just last week.”
Bring Legal, PR on Board with IT
Mark Shelhart, the senior manager of forensics and incident response in the security and compliance practice of Sikich LLP, Naperville, Ill., said Anthem did the right thing by coming out immediately after the breach was discovered, even though the company has yet to uncover all of the details, which is often what IT might prefer.
“You cannot let IT drive the incidence response process,” Shelhart said. “You need to bring legal, IT and PR together. IT is not trained to talk [to the media or to customers]. IT might want to close everything up, but legal might need access to some things for several years.”
Echoing Hines and Paquette, Shelhart emphasized that companies should make the initial notifications as soon as possible, then release more details as they become available.
Monitor System Anomalies
The breach once again points out the need for enterprises to closely monitor any indications of system intrusion, Shelhart added. “You need to do a good job of following through on all the blips that come through in the night. Some companies spend a lot of money on shiny tools, but haven’t fixed the core issues.”
Watch Network Admin Activity
The Anthem attack targeted network administrators. They have more network rights and permissions than the typical worker. Sometimes they also have the ability to get through firewalls, data encryption or other embedded network protection.
So some enterprises are starting to use “identity-based threat detection models” that more quickly detect account usage patterns that are out of the norm, according to Saryu Nayyar, CEO of Gurucul, Los Angeles. Companies are also increasingly using self-audit capabilities to empower end users to monitor their own activity, she noted, enabling them to report any anomalies to the company earlier than would be likely through more common IT auditing/monitoring practices.
Use Encryption, Data Masking
Hines and several other security experts faulted Anthem for failing to encrypt data, which is important for any company collecting and retaining personally identifiable information. Hines recommends using searchable encryption, which enables authorized users to quickly search encrypted data.
Kevin Duggan, CEO of Camouflage, St. John’s, Newfoundland, Canada, recommends data masking, which removes sensitive information by applying sophisticated data transformation techniques to non-production environments.
Give Customers Advice They Can Use
Earning back the trust of customers may be one of the hardest things to accomplish after a breach. Though Anthem, Target and others who have been breached offer credit monitoring services, there are other steps enterprises can take to help re-establish trust with customers and to aid them in protecting themselves from fraud, said Lysa Myers, security researcher for ESET, a San Diego, Calif.-based maker of computer security products.
The first step would be a communique directing customers to the Federal Trade Commission’s advice on repairing identity theft, she suggested.
Though Anthem says personal medical information wasn’t compromised, enough personally identifiable information was that hackers or someone they sell the information to could theoretically use it for medical fraud – seeking tests and other procedures under the name of the person whose identity was compromised. So Myers recommends that Anthem and other health care-related companies advise customers to carefully inspect all medical statements to ensure there are no charges or payments for any treatments that weren’t received or anything else out of the ordinary.
Similarly, breached enterprises should advise customers to be extra wary of phishing attacks – including the identification of what such an attack might entail – because phishing attacks typically spike after a major breach. The stolen data gives hackers a lot more information to use to appear to be a trusted company or person requesting personal information from the target. They might employ techniques such as sending email that seems to come from the customer’s bank seeking confirmation of a password, or a message that appears to be from a relative or other known person asking the victim to click on a link which will infect the computer with malware.