Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

2/9/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers

Meanwhile, Anthem victims are now being harassed by scammers trying to collect even more personal information.

In response to the data breach at healthcare insurance provider Anthem last week, New York's Department of Financial Services (DFS) announced today that it will "integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the department's examination process." The Department also plans to issue "enhanced regulations" to insurance companies based in New York, but has not yet solidified what those enhancements will be.

Encryption and multi-factor authentication may be on that list. Healthcare insurers are already subject to the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), each of which have requirements about privacy and security, but neither of which explicitly require encryption of all personally identifiable information. HIPAA's focus is on medical data, not identity and employment data like that stolen from Anthem.

An Anthem executive confessed to the New York Times Thursday that Anthem had not encrypted the database containing non-medical data, and that it was not required by HIPAA to do so.

The New York DFS today released results of a survey of insurers, outlining some of their cybersecurity practices. In that report, 100 percent of health insurers surveyed said they used encryption for data both in transit and in storage. However, it does not specify the nature or number of files that are encrypted and those that are not.

DFS also discovered that the largest organizations did not necessarily have the best cybersecurity. From the report:

Notably, the Department’s analysis of the insurers surveyed found that a wide array of factors – not just reported assets – affect the sophistication and comprehensiveness of the insurers’ cyber security programs. Those factors include reported assets, transactional frequency, the variety of business lines (insurance and non-insurance) written, and the sales and marketing technologies associated with those lines.

In other words, although it may be expected that the largest insurers would have the most robust and sophisticated cyber defenses, the Department did not necessarily find that to be the case.

DFS also indicated that it was considering the risks of third-party security breaches, stating that it was "exploring stronger measures related to the representations and warranties insurance companies receive from third-party vendors."

Meanwhile, individuals whose personal information was exposed in the Anthem breach are now falling prey to scammers. Anthem warned customers today about scammers contacting breach victims via email or phone, posing as Anthem representatives, and soliciting even more personal data. Anthem stated that there's no evidence that those conducting the scams are the same ones who carried out the breach.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2015 | 4:54:14 AM
Re: Why encrypt when the encryption isn't the issue?
@GonzSTL: Indeed, so so SO many organizations -- Anthem, it would seem, apparently included -- have implemented "M&M Security": Hard on the outside, soft in the middle.

You have to think about what happens after an attacker gets in.  If it's just easy sailing from there, that's a problem.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/10/2015 | 9:43:44 AM
Re: Why encrypt when the encryption isn't the issue?
Very much agree. Incorporating a defense in depth approach ensures that even if you are not able to incorporate everything in the SANS 20, that you will still have a more rigid security posture. Whatever the justifications are for not incorporating encryption, I can say from experience that most healthcare organizations are way behind.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/10/2015 | 9:25:43 AM
Re: Why encrypt when the encryption isn't the issue?
I've said this before, and I'll say it again. Implement a rigid and well defined security strategy. That does not mean simply throw money at the thing. Implement SANS Critical Security Control # 17: Data Protection. Fine, don't encrypt your data; I get the arguments for and against that, but you had better have a good data loss protection strategy in place to prevent the exfiltration of your data, whether or not you encrypt your data. Oh, and while you're at it, implement the 19 other controls, and do it properly, like you really mean it. When you finish, you may not have perfect IT security, but it will be pretty darn difficult for someone to steal your precious data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/10/2015 | 1:18:12 AM
Why encrypt when the encryption isn't the issue?
Several well-written defenses of Anthem for not encrypting have arisen.

Here is but one: thehealthcareblog.com/blog/2015/02/09/anthem-was-right-not-to-encrypt/
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.