Anthem's breach has ignited a debate on the insurer's data security safeguards, with many experts arguing that, in this incident, encryption may not have minimized the attack damage like some suspect.
In comparison to a myriad of health care data breaches that involve stolen laptops containing sensitive patient information, Anthem's breach was caused by what appears to be a targeted attack involving custom backdoors being planted on the insurer's systems.
Furthermore, the hacked database containing the Social Security numbers and other data belonging to as many as tens of millions of Anthem customers, was reportedly protected using “other measures,” excluding encryption, which entailed “elevated user credentials to limit access to the data” an Anthem spokeswoman told The Wall Street Journal on Thursday evening.
Under HIPAA, health insurers, like Anthem, are not required to encrypt protected health information, as the Security Rule allows covered entities to determine an “equivalent alternative measure” to protect data, “presuming that the alternative is reasonable and appropriate," the HHS website says.
Since news of the Anthem breach surfaced, some security experts have argued that, even if the information was encrypted, an attacker obtaining elevated privileges wouldn't need to decipher, or crack, accessed data.
On Friday, Avivah Litan, vice president and distinguished analyst at Gartner Research, told SCMagazine.com in an interview that “encryption doesn't go any good if you are taking over a user account that has the ability to see the data in the clear.”
“If someone is just hacking straight into the database, then yes [encryption is] very effective – or if you lose a laptop, for instance. Encrypting helps for direct access, but it does nothing for account takeover of users that can access data,” she explained.
Rich Mogull, analyst and CEO at Securosis, wrote in a Friday blog post that, “of the most common database encryption implementations, the odds are, neither would have even been much of a speed bump to an attack like this. You get the right admin credentials and it's game over," he said.
Steven Bellovin, a Columbia University computer science professor, offered similar thoughts on his blog, noting Thursday that “encryption is a useful tool,” but only if “properly employed.”