Anthem's data was unencrypted
Data stored in Anthem's database was not encrypted, making it easier for outside threats to access and read, according to a Wall Street Journal report.
While companies are required to encrypt external data, encryption is not required for internal data storage, which drew concern from many security experts in the report.
"It is irresponsible for businesses not to encrypt the data," said Trent Telford, CEO of Reston, Va.-based data security firm Covata, in a Los Angeles Times report. "We have to assume the thieves are either in the house or are going to break in."
Mac McMillan, CEO of healthcare IT consulting firm CynergisTek and chair of the HIMSS Privacy & Security Policy Task Force, said Anthem can't be singled out for not encrypting data internally. "There are a lot of folks who don't encrypt data internally. If not encrypting your data internally is a failure or makes you irresponsible, then we have a whole lot of people in healthcare who are irresponsible, not just these guys," Mr. McMillan said in an interview with Becker's Hospital Review.
There are a number of reasons an organization may choose to not encrypt data, Mr. McMillan continued, such as having confidence in other security measures or wanting to reduce the effects or complications encryption may cause to system operations.
"My point is, I don't think we know enough at this point with respect to what happened to call anybody irresponsible," Mr. McMillan said. "Does that mean they would be in a much better place right now if it were encrypted? Absolutely. But hindsight is always 20/20."
Anthem reported late Wednesday that hackers accessed personal information for approximately 80 million former and current customers and employees, and it is likely that tens of millions of records were stolen. The cyberattack will likely be the largest data breach disclosed by a healthcare company to date, according to the WSJ. Indianapolis-based Anthem is the second largest health insurer in the country.
Anthem said the attack was discovered Jan. 29 when a systems administrator noticed a database query was running with his identifier code, even though he had not initiated the query. The company is now working with the Federal Bureau of Investigation.
More articles on data breaches:
© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.