Page 18 - index
P. 18
The Anthem breach to date doesn’t appear to have included electronic protected health
information (ePHI). However; cybercriminals do not need ePHI data to commit medical fraud. A
cybercriminal just needs your name, social security number, and date of birth and they can
obtain medical care or even purchase prescriptions. What is even scarier is if the wrong
information is posted to your medical record, the results could be catastrophic – even loss of
life.
What can we learn from Anthem?
Firstly; I want to commend Anthem for their appropriate response to security event. Upon
discovery of the breach, Anthem initiated their internal security response plan that resulted in
reaching out to the FBI. (I have personally seen cases where a company that was breached
only found out about the breach when the FBI, NSA, a customer, or an external third-party
company notifies them.) Anthem’s President and CEO Joseph Swedish as part of Anthem’s
security breach response plan released a public statement, and Anthem immediately launched
a website for their consumers to acquire more information about the breach.
What is most impressive to me as a Security Executive is how the breach was discovered and
what that discovery says about Anthem’s security culture. It appears a suspicious database
query alerted someone in Anthem’s Information Technology (IT) department and due to the fact
this query was abnormal; the individual rang the internal alarm bells accordingly. What is scary
is these types of anomalies often go undetected in many organizations (healthcare, financial
services, information technology, etc.). Anthem’s swift response indicates that Anthem takes
security and monitoring seriously but they have also built security awareness as a foundational
principal within their security culture.
No organization can ensure their data is 100% safe; however, having the appropriate security
response plan for the type of data and industry vertical an organization operates in is critical to
reducing the impact of breach when it occurs. Anthem is a great example of this mantra.
Anthem likely has sophisticated controls (security, audit, compliance, regulatory) within their
environments, but they still fell victim to a serious security / data breach – the difference was
Anthem had a plan. If the industry overall would focus on tightening controls, monitor systems
for abnormal patterns, and draw up comprehensive response plans – we as Security leaders will
show cybercriminals we are just as sophisticated, passionate, and driven to protect
organizational data as they are to take it!
About the Author
An industry leader and innovator, Kyle F. Kennedy is a Senior Executive who
focuses within the areas of Information Security, Risk Management, Audit,
Disaster Recovery, IT Solutions, Business Process Management (BPM), and
Information Technology Governance-Risk-Compliance (GRC). Kyle is a leading
expert on identity management, access management, user account provisioning,
entitlement management, federation, privileged identity management, role design
and management, and identity management as a Service. Kyle also covers enterprise fraud
management, which has many synergies with identity and access management when an
organization needs to protect against risk and wants to manage fraud appropriately.
18 Cyber Warnings E-Magazine – March 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
