Risk //

Compliance

2/9/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers

Meanwhile, Anthem victims are now being harassed by scammers trying to collect even more personal information.

In response to the data breach at healthcare insurance provider Anthem last week, New York's Department of Financial Services (DFS) announced today that it will "integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the department's examination process." The Department also plans to issue "enhanced regulations" to insurance companies based in New York, but has not yet solidified what those enhancements will be.

Encryption and multi-factor authentication may be on that list. Healthcare insurers are already subject to the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), each of which have requirements about privacy and security, but neither of which explicitly require encryption of all personally identifiable information. HIPAA's focus is on medical data, not identity and employment data like that stolen from Anthem.

An Anthem executive confessed to the New York Times Thursday that Anthem had not encrypted the database containing non-medical data, and that it was not required by HIPAA to do so.

The New York DFS today released results of a survey of insurers, outlining some of their cybersecurity practices. In that report, 100 percent of health insurers surveyed said they used encryption for data both in transit and in storage. However, it does not specify the nature or number of files that are encrypted and those that are not.

DFS also discovered that the largest organizations did not necessarily have the best cybersecurity. From the report:

Notably, the Department’s analysis of the insurers surveyed found that a wide array of factors – not just reported assets – affect the sophistication and comprehensiveness of the insurers’ cyber security programs. Those factors include reported assets, transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines.

In other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the Department did not necessarily find that to be the case.

DFS also indicated that it was considering the risks of third-party security breaches, stating that it was "exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors."

Meanwhile, individuals whose personal information was exposed in the Anthem breach are now falling prey to scammers. Anthem warned customers today about scammers contacting breach victims via email or phone, posing as Anthem representatives, and soliciting even more personal data. Anthem stated that there's no evidence that those conducting the scams are the same ones who carried out the breach.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2015 | 4:54:14 AM
Re: Why encrypt when the encryption isn't the issue?
@GonzSTL: Indeed, so so SO many organizations -- Anthem, it would seem, apparently included -- have implemented "M&M Security": Hard on the outside, soft in the middle.

You have to think about what happens after an attacker gets in.  If it's just easy sailing from there, that's a problem.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/10/2015 | 9:43:44 AM
Re: Why encrypt when the encryption isn't the issue?
Very much agree. Incorporating a defense in depth approach ensures that even if you are not able to incorporate everything in the SANS 20, that you will still have a more rigid security posture. Whatever the justifications are for not incorporating encryption, I can say from experience that most healthcare organizations are way behind.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/10/2015 | 9:25:43 AM
Re: Why encrypt when the encryption isn't the issue?
I've said this before, and I'll say it again. Implement a rigid and well defined security strategy. That does not mean simply throw money at the thing. Implement SANS Critical Security Control # 17: Data Protection. Fine, don't encrypt your data; I get the arguments for and against that, but you had better have a good data loss protection strategy in place to prevent the exfiltration of your data, whether or not you encrypt your data. Oh, and while you're at it, implement the 19 other controls, and do it properly, like you really mean it. When you finish, you may not have perfect IT security, but it will be pretty darn difficult for someone to steal your precious data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/10/2015 | 1:18:12 AM
Why encrypt when the encryption isn't the issue?
Several well-written defenses of Anthem for not encrypting have arisen.

Here is but one: thehealthcareblog.com/blog/2015/02/09/anthem-was-right-not-to-encrypt/
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8948
PUBLISHED: 2019-02-20
PaperCut MF before 18.3.6 and PaperCut NG before 18.3.6 allow script injection via the user interface, aka PC-15163.
CVE-2019-8950
PUBLISHED: 2019-02-20
The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices with firmware 1.46p1-0028 allows an attacker to login to the admin account via TELNET.
CVE-2019-8942
PUBLISHED: 2019-02-20
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image c...
CVE-2019-8943
PUBLISHED: 2019-02-20
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...
CVE-2019-8944
PUBLISHED: 2019-02-20
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output variables via log files.