Anthem’s breach has ignited a debate on the insurer’s data security safeguards, with many experts arguing that, in this incident, encryption may not have minimized the attack damage like some suspect.
In comparison to a myriad of health care data breaches that involve stolen laptops containing sensitive patient information, Anthem’s breach was caused by what appears to be a targeted attack involving custom backdoors being planted on the insurer’s systems.
Furthermore, the hacked database containing the Social Security numbers and other data belonging to as many as tens of millions of Anthem customers, was reportedly protected using “other measures,” excluding encryption, which entailed “elevated user credentials to limit access to the data” an Anthem spokeswoman told The Wall Street Journal on Thursday evening.
Under HIPAA, health insurers, like Anthem, are not required to encrypt protected health information, as the Security Rule allows covered entities to determine an “equivalent alternative measure” to protect data, “presuming that the alternative is reasonable and appropriate,” the HHS website says.
Since news of the Anthem breach surfaced, some security experts have argued that, even if the information was encrypted, an attacker obtaining elevated privileges wouldn’t need to decipher, or crack, accessed data.
On Friday, Avivah Litan, vice president and distinguished analyst at Gartner Research, told SCMagazine.com in an interview that “encryption doesn’t go any good if you are taking over a user account that has the ability to see the data in the clear.”
“If someone is just hacking straight into the database, then yes [encryption is] very effective – or if you lose a laptop, for instance. Encrypting helps for direct access, but it does nothing for account takeover of users that can access data,” she explained.
Rich Mogull, analyst and CEO at Securosis, wrote in a Friday blog post that, “of the most common database encryption implementations, the odds are, neither would have even been much of a speed bump to an attack like this. You get the right admin credentials and it’s game over,” he said.
Steven Bellovin, a Columbia University computer science professor, offered similar thoughts on his blog, noting Thursday that “encryption is a useful tool,” but only if “properly employed.”
“If used in inappropriate situations, it won’t provide protection and will create operational headaches and perhaps data loss from mismanaged keys,” Bellovin wrote. “Protecting large databases like Anthem’s is a challenge. We need better software security, and we need better structural tools to isolate the really sensitive data from average, poorly protected machines. There may even be a role for encryption, but simply encrypting the Social Security numbers isn’t going to do much,” he said.
Securoris’s Mogull added that a “persistent attacker with the time to learn your systems and hijack legitimate credentials,” could even foil additional safeguards layered on encryption, like Database Activity Monitoring and multi-factor authentication.
While an attribution debate is sure to erupt following the incident, the major breach at Anthem appears to give weight to security community predictions that the health care sector would attract increased attention from cyber attackers. In November, the Websense 2015 Security Predictions Report warned that the community should expect a marked increase in attack campaigns launched at the health care sector, primarily because of the diverse array of data such organizations maintain, from Social Security numbers, to financial information and sensitive medical data, which could even be used to extort patients.
Earlier that year, in September 2014, Websense researchers told MIT Technology Review that in the previous 10 months alone, they observed a 600 percent increase in attacks on hospitals.