Anthem’s IT System Had Cracks Before Hack
Yet the
Hackers were able to roam around for seven weeks inside Anthem's computers before one of the company's database administrators noticed it on
The data breach is particularly ill-timed for Anthem, since it has staked its future on using sophisticated IT to become a trusted guide to consumers as they manage their health and navigate the health care system. While Anthem was well-regarded among health care companies for its IT security practices, the health care industry lags other sectors.
IT security experts say the details disclosed by Anthem show it failed to take three steps that might have stopped the attack - or at least made it more difficult to carry out. The company:
* Didn't require what's called "multi-factor authentication" for its entire system. Instead, only parts had the heightened barrier to access, leaving the remainder less protected.
* Didn't employ monitoring technology that was sufficiently sensitive to detect unusual flows of data out of its computer systems.
* Failed to encrypt the stolen database.
Anthem did not require its employees to provide two layers of authentication in all areas of its computer systems, according to a
The first layer of protection is, of course, a login and password. And the hackers got their hands on the passwords of several of Anthem's database administrators, according to a
The second layer is a card, key fob, token or smartphone app that produces a temporary password or a lengthy number, often changing it every hour or even every minute. The computer system produces a matching number at a similar frequency. If someone tries to log in without the matching number for that particular time period, he is denied access. The only way to have the number is to have the card, fob, token or smartphone in one's hands.
Before the attack, Anthem did not require that second layer in some areas of its IT systems. Almost no company has such a standard for all employees, but it is standard practice for any area in which there is sensitive data.
"Two-factor authentication is not a new or unique concept," state rules published by the federal
Once Anthem discovered the attack, it shut down all IT areas that did not require two-factor authentication.
Then on
Those were among the "draconian countermeasures" Miller outlined in his
"I will not accept anyone thinking that this is the result of any kind of sloppiness," Miller told employers, according to a person who listened to the presentation and took notes. "This is the result of a very sophisticated APT," he said, using the acronym for advanced persistent threat.
Anthem still does not know the source of the breach, Miller said.
IT security experts noted that every major company makes trade-offs between better security and easier use of computer systems by employees and customers.
They also noted that any company can fall victim to a cyber attack - and seven companies with sterling security reputations, such as
Also, Anthem drew praise for detecting the attack on its own and for quickly alerting the FBI and its customers.
"We believe that Anthem's adoption of strong information security controls, comprehensive assessment process, participation in cyber preparedness exercises and cyber threat information sharing were crucial in their ability to detect, analyze, remediate and collaborate swiftly and effectively," stated a
'Pretty shocking'
However, there are technologies Anthem was not using - called user behavior analytics - that could have raised a flag immediately when the patient records were transferred. An Anthem spokesman said the company was using a data loss prevention technology that monitors data traffic on its network, but that it did not detect any suspicious activity.
That's not surprising, said
"There's a known weakness in that technology," Thompson said of data loss prevention. Though it's not common yet in the health care industry, he added, "Our clients are using user behavior anomaly detection tools to identify a pattern of normal behavior and then receive a notice when abnormal behavior takes place."
Rook Security estimated that a database of 80 million patient records would amount to 35 gigabytes of data.
If it was transferred all at once from the database server to a compromised computer, that much data would certainly have been large enough to attract the attention of user behavior analytics programs, noted Thompson.
If the 80 million records were transferred in smaller chunks, it would have been harder to detect, he said, but there are still things Anthem could have done to make its data traffic monitoring systems more likely to detect unusual transfers.
Rook employees were scheduled to demonstrate on
The most plausible scenario, Thompson said, was that the hackers sent a phishing message to Anthem's IT team. By either opening an attachment or clicking on a Web link in one of the emails, one of Anthem's own employees could have allowed malicious software to install itself on an Anthem computer.
If opened while an Anthem IT staff member was logged in to the Anthem computer systems--even if logged in via both layers of authentication - such a program could have given the hackers remote access to Anthem's computers.
Hackers first sent a query - a request for data - to the stolen database on
"We don't know the full details of this kind of attack, but the fact that it took seven weeks is going to require some explanation," Cate said. "It would certainly suggest that the ex-filtration of that data took place over a long period of time. To not notice that is pretty shocking."
Anthem took flak in various news articles after the attack for not encrypting the database that held the patient records - a practice that has become increasingly common, Cate said.
However, he added, if the hackers obtained the login credentials of IT staff, that would have given them access to the decryption information they needed to read the database.
Anthem CIO Miller, who joined the company last May after more than 30 years at
Thompson said Anthem's IT security team most likely told Anthem's executives of the risk of not encrypting, but the executives might not have understood the gravity of the risk they faced.
"Based on the expertise of the Anthem information security team, I find it hard to believe that they weren't aware of these issues," Thompson wrote in an email. "I think that the absence of encryption and other critical controls was identified internally and something broke down in communication. This is often the case in internal risk communication and acceptance processes."
IT security leader
Anthem is recognized for having some of the best IT security in the health care industry.
It has doubled its IT security spending over the past four years. And a recent review by an outside firm of Anthem's vulnerability to cyber attackers revealed "no significant findings," according to an Anthem spokesman.
Former Anthem IT workers said the security protocols were more stringent at Anthem than anyplace they've worked, including requirements to work with laptops chained to a desk - even while inside Anthem's offices.
Last April, when Anthem's corporate name was still WellPoint, the company even set up a website designed to look and feel like its own, at www.wellpoint.com. It then sent phishing messages to employees to see how they would respond.
The trouble is, health care organizations are behind other industries when it comes to IT, including security. Cyber thieves have exploited this fact more and more, with the yearly number of health care data breaches in
"In general, health care has been very slow to adopt almost every technological advance," said
Anthem has been investing heavily in IT in a bid to become the trusted mediator of the complicated health care system.
For example, when seven major hospital systems in the
In addition, Anthem hopes to develop user-friendly websites and mobile applications for consumers, so that it helps them take care of their health - not just process their medical bills.
But Anthem CEO
"Health care has simply just not kept pace with our expectations as consumers, and therefore frustration is pre-eminent and growing by virtue of the intolerance of health care's inability to match the experiences in other aspects of our lives," Swedish told investors during a January presentation at the
Major data breaches won't help any health plan trying this strategy - as most national health plans are--but it will take lots more data breaches before consumers completely lose confidence in health plans, said
"They clearly are going to be given that opportunity. They have the most data, so it makes the most sense for them to be the consolidator of that [health information]," Shapurji said.
Partly for that reason,
Calming customers
In a little more than a year, there have been data breaches at
None of those companies has seen their sales affected much, although the CEO of
"There's always a momentary blip, and people are quoted in the newspaper saying they'll never shop there again, but then they're back the next time they get a coupon," Cate said.
Anthem has sought to reassure its customers by paying for two years of identity theft protection and credit monitoring. Sign-ups for that service were scheduled to start
Anthem also worked to reassure concerned employers, whose workers now could face a lifetime of identity-theft attempts using the stolen information.
That's why Miller, Anthem's chief information officer, was conducting town hall meetings with employers.
During the
"That's a big request," Miller said. "We wish to share whatever is necessary to restore confidence, but I don't know that we would just hand over their report."
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News