Risk //

Compliance

2/9/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers

Meanwhile, Anthem victims are now being harassed by scammers trying to collect even more personal information.

In response to the data breach at healthcare insurance provider Anthem last week, New York's Department of Financial Services (DFS) announced today that it will "integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the department's examination process." The Department also plans to issue "enhanced regulations" to insurance companies based in New York, but has not yet solidified what those enhancements will be.

Encryption and multi-factor authentication may be on that list. Healthcare insurers are already subject to the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), each of which have requirements about privacy and security, but neither of which explicitly require encryption of all personally identifiable information. HIPAA's focus is on medical data, not identity and employment data like that stolen from Anthem.

An Anthem executive confessed to the New York Times Thursday that Anthem had not encrypted the database containing non-medical data, and that it was not required by HIPAA to do so.

The New York DFS today released results of a survey of insurers, outlining some of their cybersecurity practices. In that report, 100 percent of health insurers surveyed said they used encryption for data both in transit and in storage. However, it does not specify the nature or number of files that are encrypted and those that are not.

DFS also discovered that the largest organizations did not necessarily have the best cybersecurity. From the report:

Notably, the Department’s analysis of the insurers surveyed found that a wide array of factors – not just reported assets – affect the sophistication and comprehensiveness of the insurers’ cyber security programs. Those factors include reported assets, transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines.

In other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the Department did not necessarily find that to be the case.

DFS also indicated that it was considering the risks of third-party security breaches, stating that it was "exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors."

Meanwhile, individuals whose personal information was exposed in the Anthem breach are now falling prey to scammers. Anthem warned customers today about scammers contacting breach victims via email or phone, posing as Anthem representatives, and soliciting even more personal data. Anthem stated that there's no evidence that those conducting the scams are the same ones who carried out the breach.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2015 | 4:54:14 AM
Re: Why encrypt when the encryption isn't the issue?
@GonzSTL: Indeed, so so SO many organizations -- Anthem, it would seem, apparently included -- have implemented "M&M Security": Hard on the outside, soft in the middle.

You have to think about what happens after an attacker gets in.  If it's just easy sailing from there, that's a problem.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/10/2015 | 9:43:44 AM
Re: Why encrypt when the encryption isn't the issue?
Very much agree. Incorporating a defense in depth approach ensures that even if you are not able to incorporate everything in the SANS 20, that you will still have a more rigid security posture. Whatever the justifications are for not incorporating encryption, I can say from experience that most healthcare organizations are way behind.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/10/2015 | 9:25:43 AM
Re: Why encrypt when the encryption isn't the issue?
I've said this before, and I'll say it again. Implement a rigid and well defined security strategy. That does not mean simply throw money at the thing. Implement SANS Critical Security Control # 17: Data Protection. Fine, don't encrypt your data; I get the arguments for and against that, but you had better have a good data loss protection strategy in place to prevent the exfiltration of your data, whether or not you encrypt your data. Oh, and while you're at it, implement the 19 other controls, and do it properly, like you really mean it. When you finish, you may not have perfect IT security, but it will be pretty darn difficult for someone to steal your precious data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/10/2015 | 1:18:12 AM
Why encrypt when the encryption isn't the issue?
Several well-written defenses of Anthem for not encrypting have arisen.

Here is but one: thehealthcareblog.com/blog/2015/02/09/anthem-was-right-not-to-encrypt/
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Former Student Admits to USB Killer Attack
Dark Reading Staff 4/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11332
PUBLISHED: 2019-04-18
MKCMS 5.0 allows remote attackers to take over arbitrary user accounts by posting a username and e-mail address to ucenter/repass.php, which triggers e-mail transmission with the password, as demonstrated by 123456.
CVE-2019-9161
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a Remote Code Execution issue allowing remote attackers to achieve full access to the system, because shell metacharacters in the nginx_webconsole.php Cookie header can be used to read an etc/config/wac/wns_cfg_admin_detail.x...
CVE-2019-11015
PUBLISHED: 2019-04-18
A vulnerability was found in the MIUI OS version 10.1.3.0 that allows a physically proximate attacker to bypass Lockscreen based authentication via the Wallpaper Carousel application to obtain sensitive Clipboard data and the user's stored credentials (partially). This occurs because of paste access...
CVE-2019-11331
PUBLISHED: 2019-04-18
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
CVE-2019-9160
PUBLISHED: 2019-04-18
WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier has a backdoor account allowing a remote attacker to login to the system via SSH (on TCP port 22345) and escalate to root (because the password for root is the WebUI admin password concatenated with a static string).