AnthemThe financial industry has been at the forefront of reported breaches for several years – it is where the money is after all.   As the Health Care Info Security site infographic depicts, the pace of breaches in the healthcare industry is picking up.  In my experience, the healthcare market security practice trails the financial market by a large margin.  Speakers will talk about the industry abiding by ‘compliance obligations’ but not addressing security issues.  The cynic in me has a hard time hearing that argument without retorting “you mean you got the auditors to go away by checking a box without addressing the underlying risk”.  I am not surprised to see the volume of breaches in the healthcare industry increasing.

Many of my coworkers are impacted by the Anthem breach recently reported by the company.  After the fact, there’s not much to do other than await a full accounting of how the breach occurred.  Early reports indicate that the credentials of a privileged account were obtained and used to navigate within the Anthem technical environment to locate and secure confidential information.  Commercial cloud storage services were used to push the data outside (or ex-filtrate as they like to say) the Anthem environment.  The company does not believe the loss of credentials was purposeful (not an inside job) but rather the result of a spear-phishing attack.

What lessons can we glean from this event?  Unfortunately, there’s nothing new here.  Absent details, these are the same events that appear to unfold every month.  Administrators, like the rest of us can still be deceived in to clicking on links and/or revealing passwords.  When companies encrypt data, they still provide ready access to accounts with elevated privileges.  And finally, avenues to exfiltrate data are still permitted in companies believing the access is necessary to business functions.

Investigators now believe the hackers somehow compromised the credentials of five different tech workers, possibly through some kind of “phishing” scheme that could have tricked a worker into unknowingly revealing a password or downloading malicious software.

The larger issue is the disproportionate value proposition that exists.  The level of effort invested by these organized crime and nation states greatly exceeds the level of effort most companies are willing to invest to protect there critical resources – there intellectual property and the information entrusted to them by their customers.  Sadly, until consumers step forward and demand changes from their service providers, we will only see companies prioritizing profit over security. It is after all why they are in business.  Until we demand a higher standard – and perhaps even pay for it – we’ll see our credit card, our social security and our other private information shared with people we likely would run away from if we saw them on the street.

Reward companies willing to differentiate themselves based on how they secure your information – or keep doing what you’ve been doing and get more of the same.