- The Anthem data breach from 2015 was a wakeup call for numerous industries, but especially healthcare, showing that phishing attacks can have far reaching effects.
A $115 million settlement proposal was announced in June 2017, which would require Anthem to guarantee a certain level of funding for information security. The provider would also need to implement or maintain data security system changes, provide at least two years of credit monitoring services to data breach victims, and cover out-of-pocket expenses consumers incurred because of the data breach.
Cash compensation will also need to be provided for consumers who already enrolled in credit monitoring, according to the settlement.
However, there are important lessons to be learned from the data breach itself and the following settlement, according to former OCR Senior Health Information Technology and Privacy Specialist David Holtzman.
The summary of the settlement findings found that Anthem had responded appropriately and had reasonable information security controls in place that would be required of an insurance company, Holtzman explained in an interview with HealthITSecurity.com.
“However, the insurance commissioners’ settlement required Anthem to devote hundreds of millions of dollars of investment into their information security technologies and processes,” he added. “The findings of the insurance commissioners foreshadow the eventual settlement of the class-action, as opposed to pursuing a trial.”
Holtzman noted that another issue underlying the settlement of the class action is that the plaintiffs had not made any showing of an individual who had suffered actual harm. The class action did not produce a consumer who had suffered identity theft or was the victim of financial fraud, showing real injury.
“If the matter had gone to trial, they would have been required to produce evidence of actual damage to consumers who were a part of the class action,” he explained. “Examples of injury or real injury would be case of identity theft, financial fraud, or damage to reputation that could be directly shown as a result of the breach, of the infiltration.”
The settlement itself doesn’t produce much benefit to individual consumers beyond allowing them a choice of an extension of the credit monitoring that had already been offered by Anthem or a financial settlement in lieu of the existing credit monitoring of $52.00, Holtzman said.
Overall, there are three key takeaways from the settlement, he maintained.
If organizations can’t rely on their participation in an industry certification program, as a stopping point for securing their information systems, it can be a problem. A certification only demonstrates compliance with a regulatory candor like HIPAA rules, or the payment-card industry standards at a specific point in time.
“A real security company information system requires a continuous assessment and response to changing threats and vulnerabilities that are constantly evolving,” Holtzman stated.
The second takeaway is that the investigation performed by the insurance commissioners determined the root cause of the breach was an employee opening a phishing email, which allowed malware to infiltrate the information system.
“It is crucial that organizations educate and make their workforce members aware of how to recognize and respond to suspicious emails and to recognize when a specific communication is too risky to open,” he explained. “The industry standard practice today is to use phishing campaigns to raise awareness and to identify those workforce members most susceptible to social engineering campaigns.”
Finally, organizations must have technology in place for system-activity audit and review taking place in their information system area, Holtzman maintained.
The investigation of the Anthem breach determined that the intruder had infiltrated the network for over one year. The individual had scanned the system for valuable data and had begun extracting sensitive patient information about individuals, all of which had gone undetected.
“Most information systems used in healthcare are processing ins, outs, and actions every single day,” he said. “Entities must be able to proper monitor those actions to determine which are legitimate and which might be malicious attempts to gather information.”
Utilizing necessary mitigation tactics for data security
The full investigation has not been made public, so it is difficult to know key mitigation tactics that specifically pertain to the case, Holtzman explained. However, the current sophistication of healthcare information systems far exceeds the scope of healthcare.
“Mere compliance with regulatory requirements calls for sophisticated approaches to have technical safeguards for monitoring access and alerting organizations to inappropriate activity and identifying potential threats in the network as they evolve,” he said.
Today’s threats have already evolved significantly from the type of activity that was the root cause of the Anthem breach.
“There is general agreement that the activity was the result of state-sponsored cyber-criminal activity or criminal cyber-activity,” Holtzman continued. “The cause, the malware, was complex and contained characteristics that were beyond the capability of non-state activists.”
“Today we are plagued with ransomware threats that are taking advantage of information systems that have not been patched or updated, which exposes them to vulnerabilities that were put into circulation years ago.”
“We only have ourselves to blame for not taking prudent action to maintain our information systems. Regular update management, identifying vulnerabilities, investing in current operating systems and applications are critical steps.”