Lessons from the 2015 Anthem Breach

It’s been just over a year since the February 2015 health plan Anthem Inc. reported a record-breaking cyber-attack that affected almost 78 million individuals.

In the last year the healthcare sector has been the target of several other massive cyber-attacks since the Anthem breach; however, the Anthem incident still tops the Department of Health and Human Services’ “wall of shame” website as the largest health data breach reported since HHS began keeping a tally in September 2009.

A number of key lessons have emerged from that breach that other organizations can apply to improve their own data security.

Those lessons include the need to:

1. Boost education of users about phishing
2. Monitor IT environments and baseline user behavior
3. Keep anti-malware programs up-to-date
4. Implement two-factor authentication and data loss prevention tools
5. Reassess how much personal information to collect and store
6. Develop and test an incident response plan

1) Boost Education: Phishing is a problem

The Anthem breach was caused due to the compromised credentials of five IT workers through a phishing attack. Other high-profile breaches caused phishing attacks include:

• Premera Blue Cross, 11 million affected individuals
• Beacon Health System, 307,000 affected individuals

The size of the Anthem breach is still staggering. Access was obtained using the credentials of just five employees, which points to an incredibly weak link in IT security. Phishing education and training for those five employees could have possibly prevented the entire breach.

Healthcare providers should be far more aggressive in educating their workforce to recognize phishing schemes and implementing technical controls aimed at stopping phishing emails from penetrating their network.

2) Monitor your IT environment

One huge takeaway from the Anthem breach is that any company that deals with privileged personal information needs to continuously monitor their IT environment and gain a better understanding of user behavior, especially privileged users. User behavior analytics tools can highlight user ID and device behaviors that have stepped away from their normal behavior. Monitoring can highlight possible signs of system compromise via stolen credentials. It’s also important to monitor sequential critical database reads, which is a possible sign of data theft in action— again, behavior that steps away from the norm—no person reads thousands of records sequentially.

Had there been some targeted monitoring of what the privileged users were doing at Anthem, this suspicious behavior could have been detected much sooner.

3) Anti-Malware needs to be up-to-date.

Organizations need to ensure they are as protected as possible if employees do fall for phishing email scams that contain malicious code or links. Simple steps like the following can measurably increase your security.

• Ensuring that endpoint anti-virus agents are up-to-date; and
• Using a different email filter engine than the one supplied by the endpoint anti-malware tool.
• Ensuring that Web filters are up-to-date to block any untrusted or new links embedded in the emails.

4) Implement two-factor authentication and data loss prevention tools

The Anthem incident still raises serious questions that other organizations need to consider about access controls. If the Anthem users didn’t fall for social engineering, then did they use such poor passwords that they were easily guessed? Two-factor authentication could play a critical role in preventing similar breaches.

Once preventive tools are in place, the focus should be on rolling out tools such as data loss prevention and security information and event management, or SIEM, tools and their supporting processes and talent to run them to raise the visibility of attempted and successful malicious activity within your networks. If you cannot afford these tools, consider a managed service that can provide them without the initial investment.

5) Collect Less Data?

The scope of records compromised by the Anthem breach highlights the need for organizations to carefully assess the necessity of storing vast amounts of personal information—plus scrutinize who can access it.

The question we should all be asking is “How could five sets of credentials have access to 80 million records?”

Better compliance to HIPAA’s “minimum necessary” requirements regarding data use and access might have helped limit the amount of records exposed in the Anthem breach as a result of compromised credentials. Organizations should limit the amount of information they collect, but they should also be mindful of who has access to that sensitive information.

6) Breach Notification Issues

Once Anthem announced the breach on Feb. 4, 2015, several state attorney generals criticized the company for taking too long to notify affected individuals. Under HIPAA, covered entities have 60 days after a breach is discovered to notify individuals. But after the Anthem breach, some state AGs were growing impatient about individuals’ notification after less than two weeks.

This is a reminder for organizations to be ready when the inevitable breach does occur. Assume that a breach like this will happen in your organization. The FBI has warned that cyber-attacks to the healthcare industry will continue to rise. Consider conducting an internal audit to ensure that you haven’t unknowingly already been hacked.

The development of an incident response plan that includes creating playbooks, educating the response team and conducting a tabletop drill are all necessary steps to take when preparing your breach response. Organizations cannot simply assign someone to a breach after it happens and then hope that things turn out okay.

If you have any questions about IT security, phishing, or breach response preparedness, call ITPAC today.