In the largest healthcare data breach to date, hackers potentially made away with tens of millions of personal records of Anthem customers and employees, the payer announced late Wednesday.
Approximately 80 million records were accessed, records that included names, birthdays, addresses, phone numbers, emails, employment and income information and Social Security numbers.
Here eight health IT leaders and cybersecurity experts weigh in on the massive breach.
Ian Amit, Vice President, ZeroFOX.
"The Anthem breach is very interesting from several different perspectives: first, the breadth — about 80 million people could be affected by the breach. That's a huge number of personal data records to deal with, and I suspect that the implications of this breach will be felt for a long time.
Second — the immediate response from Anthem to the breach was 'this is not a HIPAA violation.' This is interesting considering the company's initial reaction is the immediate cost of the breach in terms of regulations. The real cost here is the huge exposure of [personal information] of tens of millions of Americans, who are now going to be subjected to a higher rate of identity theft, spamming and social engineering by malicious actors using the stolen information.
Organizations that drive their security and risk management based on regulatory compliance are bound to face the realities of modern cyberattacks. Attackers couldn't care less about what compliance regulations an organization works within (the opposite is true — often being 'just' compliant basically reveals that your controls are built to only check the boxes).
In this specific case, the reality is that the personal information is much more valuable than the medical information just because of the sheer mass of it.
Last but not least — this has been verified as an external attack. Beyond deflecting potential criticism on insider participation, it's highly likely that such an attack involved a hybrid approach vector — targeting both technical weaknesses in the Anthem infrastructure, as well as weaknesses in employee awareness and processes. Successfully breaching an organization of this size isn't about finding some vulnerability on a web server, but about having an opportunity to breach several layers of controls, again, most likely by coercing someone to act in an insecure manner (open an attachment, click on a link, etc.)."
Philip Casesa, CISSP, CSSLP, Director of IT/Service Operations, (ISC)².
"The impact of an identity breach is potentially more dangerous and harmful than that of a credit card breach. Credit card breaches are quickly mitigated by issuing a new card and account number — a routine process for card-issuing banks. Even with massive credit card breaches, actual credit card fraud is low because banks are so adept at responding.
Identity attacks, such as the one on Anthem, will likely have a longer lasting and more devastating impact. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow attackers to sell this information to other criminal operations. Other potential issues with identity breaches involve the ability for the hackers to commit massive fraud themselves by creating accounts with credit card companies or other financial institutions, causing the victim to cope with the fallout from such a violation for an extended period of time.
While Anthem will likely offer some protection services to their customers, potential victims shouldn't wait. They may want to go ahead and activate credit freeze alerts, credit monitoring, and gather supporting financial and personal documentation for future issues. These items are key for victims to protect themselves from a potential identity theft situation."
Cletis Earle, Vice President and CIO, St. Luke's Cornwall Hospital (Newburgh, N.Y.).
"What we're fearful of is healthcare being the new target because we have so much data to be accessed and, unfortunately, for hackers to profit from. As an industry, we have to develop new standards, and those standards need to be implemented across the board in order to get in front of the challenges that we're facing.
The challenge here is this is considered a "fullz" breach, where [the hackers] pretty much get access to everything: birthdays, Social Security numbers. For many of these other breaches that occur, whether it was Target or Chase, they were limited to certain data. This one, it looks like they got the whole kit and caboodle. As a result, it's going to be a real big challenge, particularly for children, as an example, who will be vulnerable because their data is now accessible. [Children are] not looking at their information, they're not looking at credit reports, so people can use children's information, unfortunately.
As a hospital system, we don't have the fraction of the resources as the Targets and the Chases of the world, as far as security experts. We are almost like sitting ducks, but we do put tools in place to facilitate these threats to be prepared.
The government is stressing the standards that we should follow as an organization, but I want to emphasize that hackers also know what these frameworks are because they have access to these standards. They remain ahead of us. It's like a cat chasing its tail, going around in circles. This is how you feel sometimes, when it comes to breaches and trying to prepare yourself. You can prepare for several aspects of cyber threats, such as Cyber Insurance, NAC, DLP and IPS, but hackers will always figure out a way to circumvent these tools or solutions you have in place."
Lynne Thomas Gordon, CEO, American Health Information Management Association.
"What I think is so amazing about this breach is the magnitude. It was huge compared to the last big breach with Tricare; the magnitude is just unbelievable. However, it seems like Joseph Swedish and team are really trying to be proactive.
From what I'm hearing, [the hackers] got so much information — patients' Social Security numbers, addresses and emails — I think that shows that somebody really knew what they were doing.
Anthem has been very careful, but it just shows we can never be too safe. We have to look at things differently; it was a good lesson. Just think about it: It could happen to them and it could happen to small providers too.
We want our patients' information to be safe and I think if we all work together we can hopefully get there. [AHIMA is] here to support the healthcare community in any way we can and as we learn more, we will provide support for our members."
Ben Johnson, Chief Security Strategist, Bit9 + Carbon Black.
"I don’t want to sound like a doomsayer, but there are very few data breaches that surprise me anymore.
Healthcare is not historically a big industry for data breaches, but it's becoming that. Healthcare records are valuable. You can do more with them, order drugs in the patient's name or use their information for identity theft, whereas stolen credit cards can be canceled.
Hospitals and health systems typically grow through acquisitions and mergers, and they often have a lot of IT systems cobbled together, which makes it difficult to throw cybersecurity over that.
I do applaud Anthem. It has been a week since the breach, which is really fast for a big company like that to react. On the other hand, Anthem was quick to label the hackers as sophisticated, and while they certainly could be, I worry that we're too quick to say it was a super sophisticated hack."
Mac McMillan, co-founder and CEO, CynergisTek, chair of the HIMSS privacy and security policy task force
"All we know is what [Anthem has] been willing to share so far: the number of records or people that potentially could have been impacted, they shared that they hired Mandiant — one of the best firms in the business in terms of forensic analysis — so they've got the right people looking at the problem. They self-reported to the authorities and they are on the case as well. And they've made notice to the public that this thing occurred. They have been very responsible, very practical about their responsibilities in terms of keeping the consumer informed.
There are two things to take away from this. One is a general kind of message, and that is healthcare basically needs to wake up and realize [it is] absolutely a target for cyberthieves. If any of the incidents that occurred last year and things like the Community Health Systems breach didn't convince you of that, hopefully this will.
This is an outfit that has a dedicated professional CISO. This is an organization that has a security group. This is an organization that has a very sophisticated IT organization. This is an organization that has spent money on security. Basically, what this proves once again is it doesn't matter how big or sophisticated you are or how much you spent on security — you're still susceptible to breaches.
No. 2 is that everybody is susceptible to breach. To single Anthem out with respect to the incident would be unfair. They're just as susceptible as everyone else is. The real questions are how were the attackers able to exploit [Anthem's] systems without detection, and how did information on 80 million people leave without alarming anyone?"
John Steven, Internal CTO, Cigital.
"Given the complexity of operations in the healthcare industry and the variety of regulations, which focus heavily on identity and access management, an enormous amount of resources are spent on security architecture. As a result, successful attacks on healthcare organizations are even more surprising than attacks on retail or other industries.
Organizations should focus more time and attention on hardening key systems rather than blanketing their entire portfolio with commodity assessments. Counter the threat with the correct weapon: SaaS scans aren't ever going to stop concerted attackers. Analyzing one's architecture and hardening systems by building security in will.
The immediacy of the disclosure is also interesting. Companies are learning that the days of sitting on news are over and that delaying the news of your breach may impact your brand. Organizations are best served by getting out in front of breaches as soon as possible."
Cris Thomas, Strategist, Tenable Network Security.
"Assuming Anthem was a member/customer/client of HITRUST, I would have to ask if Anthem was following the HITRUST Common Security Framework published on the HITRUST website. I'm also curious to know what IOCs HITRUST is basing its decision not to issue an alert on, because while this attack may have been targeted, I am concerned this could be the first in a string of similar attacks.
I haven't kept track, but I assume medical records are worth more on the underground market than simple credit card numbers. News reports are all over the place in regard to the number of compromised records, but if it actually was 60 million or more, that is a significant payday for the bad guys. So, while the methods in the attack may have been specifically targeted at Anthem, it is likely that the same criminal group will target other medical records with similarly specific attacks."*
*Editor's note: Electronic health records can go for up to $1,300 on the black market, according to PwC.
More articles on health IT:
Privacy concerns are the biggest barrier to mHealth market, survey finds
3 ways government can improve cybersecurity
Chinese hackers suspected in Anthem data hack