Was the Anthem Data Breach "Sophisticated"?

Anthem CEO Joseph R. Swedish apologized to Anthem members immediately after the December 2014 data breach was made public, saying "Anthem was the target of a very sophisticated external cyber attack." Swedish continued, in what may become a model for such apologies:

Anthem’s own associates’ personal information – including my own – was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.

It's a nice trick to have the CEO of a major healthcare payer -- a man whose total compensation package for fiscal 2013 was $16,979,927 -- come across as one of us, just another victim of cybercrime.

But was the Anthem hack really a sophisticated attack?

Dan Munro at Forbes quotes security analyst Ken Westin:

Because it was clearly pre-meditated and because the attackers spent time identifying the vulnerabilities, it definitely qualifies as well executed, but once the initial intrusion was successful, they didn’t have too far to look. By gaining admin credentials to the database there was nothing ‒ including encryption ‒ to stop the attack. The only thing that did stop it was a lucky administrator who happened to be paying attention at the right time.

There is some speculation that the initial breach at Anthem occurred much earlier than the December 2014 public announcement, perhaps as early as April 2014, and that it was a result of the Heartbleed Bug.

Munro also discusses the earlier CHS and Sony hacks, noting that they too were described as sophisticated or "unprecedented" attacks, and that numerous security analysts had thrown cold water on those descriptions. Let's face it: no board of directors is going to say that they were victims of an attack that a five-year-old could have perpetrated. The PR front likely bears little resemblance to what is going on behind closed doors, where damage is being assessed, and governance, risk management and compliance are being reassessed.

There are always the nagging questions: What should you have known? When should you have known it? Did you exercise due diligence?

I once heard an auditor defined as the person who walks onto a battlefield after the battle is over and bayonets the wounded. I'm not sure that's an apt description of an auditor, but it's a pretty good description of the audited. 

Anthem Data Breach and Due Diligence

Anthem is the second-largest health insurance company in the US, and when they reported being hacked recently, it was estimated that the healthcare information (and identities) of 1 in 4 Americans was compromised -- that's more than 80 million. To put that in perspective, in the decade previous to this breach, the HHS "wall of shame" identifies approximately 40 million identities compromised in breaches. The Anthem breach compromises twice as many identities as all other breaches combined.

The breach was detected on Jan. 27 and announced on Feb. 4. By Feb. 6, there had already been four lawsuits launched against anthem, alleging they "did not take adequate and reasonable measures to ensure its data systems were protected."

I mentioned in an earlier post that healthcare data breaches are quite lucrative for the criminal elements perpetrating or benefitting from them. I should also mention that data breaches in general are quite expensive to the organizations breached as well.

One estimate has Anthem on the hook for $100 million to $200 million just to fix vulnerabilities and/or damage done. However, costs may be much higher depending on whether Anthem can demonstrate due diligence. Most security experts regard data breaches as inevitable, but the investigation of data breaches by regulatory authorities will judge whether Anthem did their best to prevent the breach, and to minimize its impact. If they didn't, HIPAA enforcement come into play. A finding against Anthem by the HHS Office for Civil Rights (OCR) could also open the door to more lawsuits.

In May, 2013, a study sponsored by Symantec and carried out by Ponemon Institute LLC estimated the cost of data breaches in the US to be approximately $188 per identity compromised. I'll let you do the math on that with regard to the Anthem data breach. Let's hope they can find economies of scale.

Of course, performing due diligence and demonstrating due diligence to an auditor are two different things. Whatever your regulatory requirements are, will you be ready for the auditor?

Migration Webinar Today - Web Intelligence Update

When: Wednesday, October 15, 2014, 10 am / 4 pm EDT
Guest Presenter: Gregory Botticchio, Solution Manager, SAP

Our migration webinar series continues as SAP's Gregory Botticchio joins us to to provide an update on the latest news for Web Intelligence in SAP BusinessObjects BI 4.1. Gregory will discuss new and incremental features, and provide glimpse into coming capabilities. Join us to learn about:

• Performance improvements
• New customization capabilities
• Enhanced core capabilities

Register for this webinar...
Learn about other webinars in this series...

Webinar Today - Agile BI Platform Management at HP Enterprise Services

When: Oct. 1, 2014, 2 pm EDT - Today
Guest Presenter: Niladri Chowdhury, HP Enterprise Services
Register for the webinar. All registrants will receive a link to this and other recorded webinars.

Agility is now the defining quality for BI platform management, because the agile enterprise has become the norm, and an enterprise can only be as agile as its least agile component -- like the weakest link in a chain.

Niladri Chowdhury joins us today to discuss agile BI platform management at HP Services, an enterprise that specializes in helping other enterprises achieve agility. The "Always on" enterprise integrates mobility, connectivity and interactivity. "Always on" means 24/7, and if your business team is making decisions around the clock, your BI platform has to deliver on the same basis.

BI is central to enterprise decision making, but increasing volume and complexity make it increasingly difficult for BI platform managers and administrators to deliver on BI's promises. Everyone has heard the story of the frog in a pot of water that is slowly brought to a boil. The frog doesn't notice the increasing heat and is boiled alive. Being a BI platform manager can feel like that.

What's to be done? You can stand still and lower service levels; you can add resources; or you can look at strategies for achieving agile BI platform management. Join us today to see how HP Enterprise Services is employing the third option with the help of APOS well managed BI solutions.

APOS Announces Dashboard Auditor Product

APOS Systems Inc. today at the 2014 SAP Analytics & BusinessObjects Conference (SABOUC) announced the release of its new APOS Dashboard Auditor for SAP BusinessObjects.

Using the Dashboard Auditor, you can:

• Audit Xcelsius and Design Studio dashboards, as well as Xcelsius components streamed into Design Studio using APOS Dashboard Migrator.
• Implement usage auditing - know who is using your dashboards, and where and when.
• Implement functional auditing - know how your dashboards are being used.
• Verify that your investment in dashboards is paying off - that the dashboards are being used by your target audiences, and as you intended.
• Analyze your current Dashboards environment in preparation for migration to Design Studio.

Dashboards are an increasingly important means of delivering business intelligence. Companies are investing substantial sums in dashboard development and want to know how effective they are in delivering that information, and how dashboards can be improved to meet user requirements and expectations.
Visit the APOS team at SABOUC, Booth #105, to learn firsthand how the APOS Dashboard Auditor can help you optimize the dashboard experience of your information consumers.

Read the press release.

See You at SABOC 2014, Booth #105

Will you be there in Dallas / Fort Worth? The APOS team will be at booth #105, ready and willing to talk to you about how we can help you become more agile in your SAP BusinessObjects BI platform management and administration.

We will also be hosting an education session on Agile BI Platform Management at HP Enterprise Services, featuring HP's Niladri Chowdhury. Niladri will be sharing his migration and platform management experiences.

The HP "Always On" initiative positions HP Enterprise Services as an agile enterprise enabling agility in other enterprises. Naturally, they need their SAP BusinessObjects BI 4 platform management to be agile as well. With customers such as the US Navy, the UK Ministry of Defense and NASA, HP ES must also be the agile enterprise which it sells. Using HP products such as HP Vertica and HP Autonomy with SAP BusinessObjects, their IT department is a model for the integration of complex information systems to produce real-time BI and effective data visualization.

If you are experiencing challenges with volume and complexity in your BI deployment, Niladri's experiences will be familiar to you. Find out how he brings agility to the HP Enterprise Services SAP BusinessObjects deployment.

Webinar Alert: Healthcare & BI Platform Management

When: Thursday, Sept. 18, 2014 - 10 am, 4 pm EDT

Register for the webinar

BI in the Healthcare sector is growing rapidly in response to US healthcare reform, and healthcare organizations are looking for proactive ways to manage and administer the BI platform in the face of increasing volume, complexity and compliance considerations.

Join us for a discussion of the major challenges facing SAP BusinessObjects BI platform managers and administrators in the healthcare industry. This webinar will examine ways to increase your BI platform management agility to help you:

• Master complexity in data sources and information consumer requirements
• Manage compliance through greater system visibility and high-volume administration
• Maintain credibility through reliable, secure, accurate and timely delivery of information

Please join us as we explore techniques and best practices for SAP BusinessObjects platform management in healthcare.

Register for the webinar