News about the Anthem cyberattack, which breached a database containing as many as 80 million records, has left not only members of the health insurance company concerned, but the question of how this could possibly happen is present for many more.
Cyber security experts in the field are speaking out about the breach:
Trent Telford, CEO, Covata:
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
“We do not know what they were after and we do not know what they plan to do with the data – what we do know is that they were after the data itself and it was left exposed and unsecured. The data was not encrypted making it a valuable target for thieves.
The impact of this data breach could be severely damaging for the members of Anthem. Health care providers hold verified personal information that can tell thieves almost anything they need to know about a person, including where they live, their phone number and email addresses and also their social security details. All of this data, in the wrong hands, can be sold on for profit, used to conduct medicare fraud or indeed complete identity theft.
It is irresponsible for businesses not to encrypt the data. We have to assume the thieves are either in the house or are going to break in – they will always build a taller ladder to climb over your perimeter security – we must protect the data itself.
This has crossed the line. I have been telling businesses for years that they have to encrypt the data itself. This is now just irresponsible. As a business owner I pay the bills for my employees health care service and I want to know their information is secure.”
John Steven, Internal CTO, Cigital:
“Given the complexity of operations in the healthcare industry and the variety of regulations, which focus heavily on identity and access management, an enormous amount of resources are spent on security architecture. As a result, successful attacks on healthcare organizations are even more surprising than attacks on retail or other industries.
Organizations should focus more time and attention on hardening key systems rather than blanketing their entire portfolio with commodity assessments. Counter the threat with the correct weapon: SaaS scans aren’t ever going to stop concerted attackers. Analyzing one’s architecture and hardening systems by building security in will.
The immediacy of the disclosure is also interesting. Companies are learning that the days of sitting on news are over and that delaying the news of your breach may impact your brand. Organizations are best served by getting out in front of breaches as soon as possible.”
Carl Wright, former CISO of the US Marines and TrapX Security general manager:
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
“Fortune 500 companies continue to spend millions of dollars on network perimeter firewalls, intrusion prevention and host level security technologies, but, as the Anthem, Sony, Target and J. P. Morgan breaches illustrate, the bad actors continue to get in.
Even more concerning, cyber criminals are now going after health care records because they hold up to ten times more value on the black market over simple credit card numbers. Unlike a credit card that can be quickly cancelled and reissued, medical heath records contain social security numbers, personal addresses, medical conditions and contact information on other family members. This is information that can be used to steal someone’s entire identity.
The caliber of breaches we are seeing today shows that traditional security tools alone aren’t enough. Businesses must be as nimble as the attackers and be able to adapt in real time to defend against evolving threats. Our belief is that an additional layer needs to be inserted into the network security stack. And that layer should consist of proactive deception-based technology. Deception technology uses fake computers and fake data to trick hackers into believing they are actually inside a corporate asset when in reality they’re far from it. It is time for corporations and government entities to proactively deceive their adversaries by wasting the bad actors’ time and resources while at the same time significantly enhancing breach detection capabilities at an enterprise scale.”
