Monday, February 23, 2015

Was the Anthem Data Breach "Sophisticated"?

Anthem CEO Joseph R. Swedish apologized to Anthem members immediately after the December 2014 data breach was made public, saying "Anthem was the target of a very sophisticated external cyber attack." Swedish continued, in what may become a model for such apologies:
Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.

It's a nice trick to have the CEO of a major healthcare payer -- a man whose total compensation package for fiscal 2013 was $16,979,927 -- come across as one of us, just another victim of cybercrime.

But was the Anthem hack really a sophisticated attack?

Dan Munro
at Forbes quotes security analyst Ken Westin:

Because it was clearly pre-meditated and because the attackers spent time identifying the vulnerabilities, it definitely qualifies as well executed, but once the initial intrusion was successful, they didn’t have too far to look. By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time.

There is some speculation that the initial breach at Anthem occurred much earlier than the December 2014 public announcement, perhaps as early as April 2014, and that it was a result of the Heartbleed Bug.

Munro also discusses the earlier CHS and Sony hacks, noting that they too were described as sophisticated or "unprecedented" attacks, and that numerous security analysts had thrown cold water on those descriptions. Let's face it: no board of directors is going to say that they were victims of an attack that a five-year-old could have perpetrated. The PR front likely bears little resemblance to what is going on behind closed doors, where damage is being assessed, and governance, risk management and compliance are being reassessed.

There are always the nagging questions: What should you have known? When should you have known it? Did you exercise due diligence?

I once heard an auditor defined as the person who walks onto a battlefield after the battle is over and bayonets the wounded. I'm not sure that's an apt description of an auditor, but it's a pretty good description of the audited. 

Tuesday, February 10, 2015

Anthem Data Breach and Due Diligence

Anthem is the second-largest health insurance company in the US, and when they reported being hacked recently, it was estimated that the healthcare information (and identities) of 1 in 4 Americans was compromised -- that's more than 80 million. To put that in perspective, in the decade previous to this breach, the HHS "wall of shame" identifies approximately 40 million identities compromised in breaches. The Anthem breach compromises twice as many identities as all other breaches combined.

The breach was detected on Jan. 27 and announced on Feb. 4. By Feb. 6, there had already been four lawsuits launched against anthem, alleging they "did not take adequate and reasonable measures to ensure its data systems were protected."

I mentioned in an earlier post that healthcare data breaches are quite lucrative for the criminal elements perpetrating or benefitting from them. I should also mention that data breaches in general are quite expensive to the organizations breached as well.

One estimate has Anthem on the hook for $100 million to $200 million just to fix vulnerabilities and/or damage done. However, costs may be much higher depending on whether Anthem can demonstrate due diligence. Most security experts regard data breaches as inevitable, but the investigation of data breaches by regulatory authorities will judge whether Anthem did their best to prevent the breach, and to minimize its impact. If they didn't, HIPAA enforcement come into play. A finding against Anthem by the HHS Office for Civil Rights (OCR) could also open the door to more lawsuits.

In May, 2013, a study sponsored by Symantec and carried out by Ponemon Institute LLC estimated the cost of data breaches in the US to be approximately $188 per identity compromised. I'll let you do the math on that with regard to the Anthem data breach. Let's hope they can find economies of scale.

Of course, performing due diligence and demonstrating due diligence to an auditor are two different things. Whatever your regulatory requirements are, will you be ready for the auditor?