Anthem Attack Won't Be the Last

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bloombergview.com/articles/2015-02-06/anthem-attack-won-t-be-the-last

If, like us, your insurance coverage is provided by the good folks at
Anthem Inc., you probably have a few questions. How did the company not
notice that cybercriminals were siphoning 80 million customer records from
their systems? Why wasn't my personal information encrypted? And why would
Chinese hackers, the prime suspects, be interested in my Social Security
number?

With some effort and luck, these questions will be answered soon, as
litigants, attorneys general and federal investigators descend on the
company. For now, give Anthem credit for coming clean quickly about its
lapses -- and remember that the attacks will continue unless there are some
real reforms.

For one thing, companies need to start encrypting personal information held
in their databases -- especially important data such as Social Security
numbers -- as a matter of course and storing it more securely. This will
make it harder for many businesses to "mine" that data, share it or package
it for resale. Such is life in the Age of Hacking.

Companies also have to demand better security from their business partners.
Health-care companies, in particular, are vulnerable because they're
repositories of so much sensitive information and rely on elaborate
networks. The thieves are often cunning: When Target was attacked in 2013,
the infiltrators stole credentials from a heating and refrigeration vendor
the retailer did business with.

Finally, businesses have to get more comfortable sharing data about attacks
with one another and with the government. The nascent information-sharing
group for health-care companies, called NH-ISAC, should use this incident
as a wake-up call for the entire industry, a known laggard in cybersecurity.

Congress could help by getting serious about setting up a federal
information-sharing arrangement headed by the Department of Homeland
Security. That should be a two-way street, with the government sharing
expertise, offering access to intelligence information, and providing
liability protection in exchange for businesses participating forthrightly
and complying with the rules. If this latest attack was, in fact,
undertaken by the Chinese, it's unreasonable to expect Anthem to know how
to respond without help from the federal government.

It's also important for Congress to start debating how to bolster laws to
prevent the spread and sale of stolen personal data online. That's a
complicated undertaking that could have a lot of unintended consequences,
so it has to be done prudently. With each new attack, however, the task
only becomes more urgent.

All these things cost money. Yet so do enormous, terrible data breaches --
just ask Target, which has tallied up expenses of $248 million after its
attack. Eventually, this cost-benefit analysis will make the expense of
better protection look affordable -- not just to the inhabitants of
corporate C-suites, but to anyone with an e-mail account. In the meantime,
we'll be monitoring our credit. You should, too.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!