Anthem Hack: What Can We Learn From The Healthcare Industry’s Biggest Ever Breach?

Insurance firm, Anthem, allowed hackers to access 80m customers’ records, but could it have been avoided? And how can you ensure you don’t suffer a similar fate?

The security breach of US health insurance company, Anthem, which was revealed yesterday evening, is said to have affected up to 80m customers with their personal details being exposed. The data stolen includes names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data. It appears the data was not encrypted.

In light of this breach, which some are saying could be the biggest the healthcare industry has ever suffered, we ask security specialists what we can learn from the incident.

Jaime Blasco, chief scientist at AlienVault Labs

“We are dealing with one of the biggest data breaches in history and probably the biggest data breach in the health-care industry.

“If you are wondering what it means for individuals, in a few words it is a nightmare. If the attackers had access to names, birthdays, addresses and Social Security numbers, it means that information can be easily used to carry out identity theft schemes. It is yet unclear who is behind the attack but if the group behind that compromised Anthem plans to sell that information in the black market it means cybercriminals can buy access to the stolen data and use that information to drain your bank account, open new credit accounts, telephone or even utility accounts. They can even obtain medical care using your information.”

Daniel Ingevaldson, CTO of Easy Solutions

“Details continue to emerge on the massive breach at health care company Anthem, in which hackers have gained access to information including names, birthdays, medical IDs, Social Security Numbers, street addresses, email addresses and employment information (including income), on up to 80m people.

“While most consumers are now all too aware of what happens when their credit card data gets stolen (as it did at Target, Home Depot, and others), and sold on the black markets, what is the biggest risk to consumers with a breach like this?

credit card horror“Just as there are black markets for credit card information, there are also black markets for highly valuable personal data – especially Social Security Numbers + Date of Birth + address. With this kind of information, criminals can easily commit much deeper identity fraud – setting up fake bank accounts, applying for credit cards/loans, filing false tax returns for refunds – all under your Social Security number.

“Credit card black markets are highly sophisticated. While we have not historically seen the same level of automation and sophistication of black markets for personal data, we are seeing early signs of these markets improving their automation. We expect this to improve rapidly with the influx of the new Anthem data. 80 million Social Security Numbers is keen motivation to trigger an increased automation and monetisation of this information We are starting to see signs of this in the forums below.”

Charles Sweeney, CEO, Bloxx

“No company wants to fall victim to what has the potential to be the biggest health hack in history. Whilst Anthem’s customers will be relieved to know that no financial or health data is thought to have been stolen, the fact that so much personal data has been taken will be a serious concern for customers who will no doubt be worried about identity theft. I am sure Anthem would advise its customers to be alert and on the look out for any suspicious activity in the coming weeks.”

Mike Spykerman, vice president of product management at OPSWAT

“Though this is now said to be the largest data breach in the health care industry, unfortunately it is unlikely to be the last. No details are available yet about how the breach at Anthem occurred, however from other breaches we have learnt that often the security is breached by a targeted spear phishing email attack that is used to plant malware or to entice the recipient to provide credentials that can then be used to gain access to systems. The breach could occur at the company itself, but we have also seen breaches where the actual attack occurred at a supplier through which access was gained to the company’s procurement system.

FBI“Anthem should be commended for notifying the FBI so promptly about the breach. Fast and appropriate action could mean that the attackers have not yet been able to cover their tracks.

“In order to protect against targeted email attacks, a multi-layered approach is recommended. Conventional email security systems need to be reinforced by implementing an antimalware solution that uses multiple antivirus engines to scan email attachments, greatly increasing the likelihood that malware is detected, as well as countering threats targeted to bypass a specific engine’s detection capabilities.

“Document sanitisation, where files are converted to a different format and any embedded scripts are removed, acts as another security layer by defusing any possible hidden threats in email attachments that might go undetected by antivirus engines. Employee training on how to detect phishing attacks is also highly recommended, although it is important to be aware that spear phishing attacks are becoming more and more sophisticated and can fool even the most tech-savvy employees.”

Dave Larson, CTO at Corero

“While we continue to watch this unfortunate scenario unfold, one thing remains clear, breaches of this scale appear to be more common place, with countless variables to consider. We are seeing an increasing trend in the Denial of Service attack vector being utilized as a door opener for data exfiltration attempts. Dos, or DDoS is sometimes a poor descriptor for this class of attacks – denial of service is not always the goal. While it is not clear if the Anthem breach included a DDoS component, modern malware are designed to be stealthy, and early DDoS attacks very well could have been a distraction for injecting a sleeper exploit into Anthem’s systems. Once low hanging fruit has been identified, opportunistic hackers don’t need to look very far to take advantage of the weaknesses in security.

“Real time detection and mitigation solutions against cyber attacks were once considered an insurance policy for most organizations. Today, it’s pretty clear that any business, regardless of Industry or type of intellectual property they maintain is susceptible to attack. Attacker’s motivations can range from wildly obscure, to pretty clear and (theoretically) understandable, but it’s a game of Russian Roulette when it comes to target victims, I think 2015 will be the year for showcasing this unfortunate reality. Organizations need to understand the types of threats that are out there, and the proper tools required to defeat these attacks and protect their customers

phishing attackStephen Coty, chief security evangelist, Alert Logic

“Key indicators of compromise started being noticed by the Anthem team late last week. The breached database server hosted personal information (Names, Birthdays Address, Email, Employment information and Social Security Numbers) on over 80 million individuals. According to the company there was no Credit Card information, medical history, diagnosis or treatment data stolen. The data was tracked to the abuse of a credentialed user of the database. This points to a targeted attack that was focused on Anthem. Without any investigative intelligence from the inside I can theorise that a phishing email campaign against was launched in which a user downloaded malicious code.

“Anthem says it contacted the FBI immediately after it discovered the attack, and has commissioned cybersecurity firm Mandiant to evaluate its systems. According to one of the team members the Anthem attack was ‘sophisticated’ and used techniques that appeared to have been customised, rather than broadly available tools, and were ‘very advanced’. Investigators haven’t yet concluded who was behind the Anthem breach.

“President and CEO Joseph Swedish has promised that Anthem will contact all affected members whose information had been compromised, and provide them with free credit monitoring and identity protection services.”

Rahul Kashyup, chief security architect, Bromium

“If 2014 was the ‘year of breaches’, obviously 2015 is set up as the year of ‘more breaches’. The Anthem breach should be a pointer to all those not yet in the ‘breach club’ to wake up to the new era of cybersecurity and what’s at stake. It’s obvious to the attackers that such breaches can be done – repeatedly and they won’t stop. If you’re an organization that holds sensitive data of its customers or affiliates, ensure that your response to this attack changes from ‘Thank heavens it wasn’t us’ to ‘What if it were us?’ and work relentlessly to avoid such data breaches.

identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. Shutterstock“Large institutions such as Anthem are under constant attack. Why? Simply put, the attackers have nothing to lose due to the loose boundaries of the internet and lack of Internet laws. Most large organisations are ‘hackable’ due to the fallible nature of humans at work, and outdated security controls and/or inefficient security practices. The key driver behind most of such attacks is obviously financially motivated. Attackers typically want to steal either Credit Card information or Identity of the victims.

“In this case, Anthem has acknowledged that personal data was stolen. So, obviously, there was a gap in their controls that led the attackers into their sensitive networks. Internal networks should be designed with the expectation that at some point the end users will get infected, so basic principles such as segmentation of network are important. Adequate controls should be put on servers hosting sensitive information so that Incident Response can be quick. In this case the attackers managed to steal information, so evidently the exfiltration went undetected for sometime – which was enough.

“Given the nature of details disclosed by Anthem, affected individuals should watch out for Identity theft scams. The issue is hot right now, so the attackers are likely to move fast in the upcoming weeks to sell this data in the underground.

“It is Anthem’s responsibility for protecting their customers’ sensitive data that was entrusted with them. Giving a timely response to their customers is the least that is expected in such situations. It is yet to be ascertained on the damage done already, we’ll soon find out.”nd their business.”

Whistleblower leak keyboard security breach © CarpathianPrince ShutterstockLee Weiner, SVP Products and Engineering, Rapid7

Please feel free to use this in any articles you may be drafting on this issue. If you need anything further please don’t hesitate to get in touch.

“The FBI has commended Anthem for its quick response to this breach. Being able to detect and address a security incident quickly is a huge challenge and can make all the difference in terms of the impact and ability to pursue the culprits. Based on the limited information available, it sounds like Anthem discovered the problem pretty quickly and was able to move fast in confirming an incident and calling in support from law enforcement and information security responders.

“Current and former Anthem members should be vigilant for so-called ‘piggy back’ attacks – criminals leveraging concerns over the Anthem breach to launch social engineering attacks that target Anthem members. These would likely be in the form of emails or calls designed to trick worried consumers into taking an action or sharing confidential information such as financial details. Consumers should be suspicious of any unsolicited calls or emails – don’t click on links, or provide personal information over the phone or email. If you get a call, offer to call back and use your search engine to find the appropriate number. Do likewise for any emails.

“For organisations who may employ individuals whose personal information was stolen, may also want to take additional precautions as employees often use the same login credentials across corporate and personal websites. No mention of stolen passwords has been noted, but organisations may still want to exercise caution and ask affected employees to change their passwords for any corporate access and applications.”

Lancope CTO, TK Keanini

“A point needs to be made about information. When we say it has been stolen, it it not like stealing a car when you no longer have it. The proper term is disclosed because you as a customer of Anthem trust that Anthem is protecting your private information from disclosure. Theft is an awkward term.

“When comparing this to retail data breaches, you need to consider the mutability of the information. Medial information is far more severe because it is not easily changed. When credit cards, phone numbers and even social security numbers are disclosed, you have an opportunity to just change it and the disclosed information is no longer valid, but this is not really the case with medial information. Changing your DNA is not an option, so public disclosure of this is valid for a lifetime. When you consider the information you are protecting, you need to consider how easy it is to change it and then select the appropriate level of encryption.

“Medial records will be a hot commodity for cyber crime as more records are going electronic and more cyber criminals are emerging in the threat landscape.

“There are two very important countermeasure to this threat. The first is that data can be protected with the right cryptographic means, and second, turning the entire network into a sensor grid is just as important to have the right level of operational intelligence pre, during, and post breach.”

online theftJason Hart, VP Cloud Services, Identity and Data Protection, Gemalto

“Anthem is the latest casualty in a long list of high profile companies that have fallen victim to hackers. In fact, the most common type of cyber-attacks carried out in 2014 were those perpetrated on people’s identities. While it’s still too early to estimate the real impact of this hack, its consequences could be potentially damaging both to the company’s reputation and bottom line, as well as to customers’ confidence in the entire insurance sector.

“The issue is whether the sensitive stolen information was encrypted. What we see constantly with these types of attacks is that breach prevention and threat monitoring alone will not keep the cyber criminals out. With hacking attempts becoming a common occurrence, being breached is not a question of “if” but “when”.

“As the average person’s risk profile grows, companies need to think about the best way to protect their personal identities with a combination of encryption and authentication. This means using best practice data protection – attaching security directly to the data itself using multi-factor authentication and data encryption, as well as securely managing encryption keys. That way, if the data is stolen, it is useless to the thieves.”

Gavin Millard, EMEA technical director at Tenable Network Security

“Although the technical details of how the incursion occurred are scarce at the moment, one aspect of note is how professionally Anthem have handled the breach once it was discovered. Creating a FAQ with advice to current and past customers and offering identity protection to all that have been affected is helpful to those concerned and should aid in restoring confidence. It’s becoming increasingly difficult to deny that we now live in a time where the probability of a breach is high and with that in mind, every organisation should have a solid plan of action and response for when the inevitable happens.”

Lior Arbel, CTO at Performanta

“Another day and another huge data breach hits the headlines. This hack of tens of millions of Anthem customer information is seeing 2015 carrying on where 2014 left off with high-end data breaches of large enterprises. We have unmistakably now entered a phase in cyber-aggression where hackers have realised that information is power and have begun to up their attacks on corporate targets to steal vital intellectual property or consumer data. Malicious actors are now proving time and again that they have the ability to circumvent traditional security solutions yet attacks are developing at a rate not matched by the defences.

“While Anthem is to be credited with discovering the breach themselves and notifying the public quickly, this must be seen as another wake-up call for organisations all over the world. Every company must take immediate steps to protect themselves and to detect whether they have already become unknowing victims of the growing tide of cybercrime. This is the time for organisations to take a holistic approach to the security procedures required to combat advanced threats rather than look for a ‘silver bullet’ technology solution. A ‘hands on’ approach by IT departments in conjunction with external data specialists can then help implement, review and enhance security procedures. Do not wait for there to be a successful attack and to suffer the loss of revenue, customer trust, and the potential loss of critical data.”

computer healthMark Bower VP product management Voltage Security

“Attackers bypassing traditional perimeter defences is now routine – and should be expected. The best defence strategy now is to neutralise sensitive data so that a breach yields nothing in the event of compromise. Leading healthcare entities are already embracing data-centric security to prevent this type of breach yielding valuable data when attacked. The reason is simple: Healthcare data is lucrative to monetize and healthcare providers can expect attacks to rise sharply as other industries like retail merchants progressively eliminate exploitable security gaps with data-centric encryption and tokenisation. Cybercrime is a business – and attackers swiftly gravitate to the next easy target with advanced malware and exploit tools.”

Dwayne Melancon, CTO Tripwire

“Constant vigilance is the watchword for cybersecurity, and this breach demonstrates that any company with information of value can be a target – not just those with credit card numbers. Regardless of the sector, the precautions are consistent – understand what software and systems you have, configure them securely, and understand how they’re vulnerable. And since the threat landscape changes constantly, enterprises must be able to continuously evaluate where the stand and fix security holes as soon as they find them. That can be difficult for any organisation, and giving attackers the smallest foothold can result in huge consequences.

“Individuals who are affected, or potentially affected, should freeze their credit reports immediately with the three major credit bureaus – Equifax, Transunion, and Experian – to reduce the risk that anyone can open new lines of credit in their names. This is also a good reminder that you shouldn’t use any of your personally-identifiable information as answers to your ‘secret questions’ to validate your identity online. Make up your own questions and answers, or use answers that are fictitious but memorable to you to prevent criminals from guessing their way into your online accounts.

“Finally, beware of any emails or calls regarding this incident as they are almost certainly fraudulent. Kudos to Anthem for announcing they will notify the affected customers via mail – that is much harder to spoof. Nonetheless, be on the lookout for potentially fraudulent requests for information requested by mail – remember, the criminals have mailing information, as well. Trust, but verify.”

Check Point UK managing director, Keith Bird

“Armed with the data they already have, attackers will try and trick those affected by the breach into revealing further details, such as account numbers and passwords.

“For the attackers, it’s just a numbers game, but it could have serious consequences for customers. Phishing emails continue to be the most common source for social engineering attacks, so customers should be suspicious of any email or even phone call that relates to the breach.”

How much do you know about hacking? Take our quiz to find out!