Tech

Why Anthem Was Wrong Not to Encrypt

Screen Shot 2015-02-22 at 7.23.57 AMBeing provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.

His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.

I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.

I don’t disagree with Fred’s narrow technical argument, but there is definitely a larger issue that he chose to ignore. That larger issue ‒ and one I’ve written about frequently ‒ is what industry experts call a “culture of security.” The sheer volume of data breaches suggests a serious lack of that culture specifically in healthcare.  The SANS Institute report last year highlights the dire state of cybersecurity in healthcare. New Cyberthreat report by SANS Institute Delivers Chilling Warning to Healthcare Industry

Less than 6 months prior to the time Anthem pulicized their breach earlier this month, Community Health Systems (CHS) announced their breach of 4.5 million patient records. Some of the top security analysts have already begun to link the two (Anthem and CHS) ‒ right down to the lethal vulnerability that was discovered last April ‒ the Heartbleed bug. There’s even speculation that the actual breaches at both Anthem and CHS may have occurred in fairly close proximity to each other (after April of last year). Again, something I covered here: Are the Data Breaches at Anthem and CHS Linked?

That “culture of security” means that there’s a technical basis ‒ and logic ‒ to use the appropriate technology (both software and hardware in tandem) to ensure that adequate data (and network) security is in place. Note the use of that word ‒ adequate.

There will never be a perfect. The attack surface in increasing ‒ exponentially with IoT ‒ and the attackers have only to find one vulnerability once. Defenders, on the other hand, need to defend against all vulnerabilities ‒ all the time. That equation gives the attackers the upperhand and the gap between attacker and defenders is widening.

In the end ‒ we’ll likely see at least 2 outcomes from these new mega breaches.

  1. If it’s determined ‒ in court ‒ that the breach was the result of the Heartbleed bug,  both Anthem and CHS will have a much harder time defending against negligence ‒ which means the damage awards will be significant.
  2. Whatever the final cost of both breaches (and those yet to come), as always, they will be passed on to each of us as patients and healthcare consumers in the form of higher premiums.

This last one is simply an extension of many other perverse incentives that exist throughout our for‒profit healthcare system. Why bother paying for an expensive barn door that locks when we can simply pass the cost of the all the lost animals onto someone else? Sure there will be hits to profits and earnings, for awhile, and some heads may actually roll (the CIO at Sony was summarily dismissed), but will these mega breaches (and others yet to happen) be enough to change the “culture of security” inside healthcare? Probably not ‒ and certainly not if strong technical voices like Fred’s continue to defend what amounts to a cavalier attitude of security on the basis of a narrow argument – even if that argument is technically correct.

A relatively high proportion of the healthcare executives we interviewed believe that the sophistication or pace of cyberattacks will increase quickly, and all of them agreed that attackers’ capabilities will likely outpace the capabilities of their organization. The healthcare sector appears to be the most underdeveloped, with 56% of healthcare respondents believing that their company spends insufficiently on cybersecurity. Risk and Responsiblity in a Hyperconnected World ‒ McKinsey ‒ January, 2014

The author is a writer for Forbes. He is based in Arizona. 

Livongo’s Post Ad Banner 728*90

27
Leave a Reply

17 Comment threads
10 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
12 Comment authors
kevinmassChip Chippingtonjohn irvineJohn SharpAnshu Sharma Recent comment authors
newest oldest most voted
kevinmass
Member
kevinmass

Anthem’s security breach is not different from one that any other large organization would face. Was this attack truly sophisticated, or could anyone have pulled it. “Anthem was the target of a very sophisticated external cyber attack. These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members,” Anthem President and CEO, Joseph R. Swedish, said in a statement. Healthcare organizations need to take some precautions against data breaches. Training employees on how to spot a cyber attack can help to reduce the risks of a healthcare breach.Cybersecurity related online communities… Read more »

dan munro
Guest

John, I disagree – but it’s technically nuanced. The most common approach to an encryption/de-cryption function is in software. That way it’s relatively seamless to the end-user – and relies on the credential. If the credential itself is compromised (which is, I believe, the way the Aetna breach was carried out), the software used to encrypt/de-crypt would be ineffective because the user was “authorized” to the encryption software (and the software would have decrypted the data automatically). This view is supported by the disclosure that the admin noticed his/her account was in use by an unauthorized user. Subtle and nuanced… Read more »

John Sharp
Guest

Although encryption was not the problem, if the data was encrypted, it would have been nearly useless to the hackers. I agree with getting away from SS# as an identifier. But it seems like a no-brainer, that with the common attacks for the purpose of identity theft, that any of those identifiers should be encrypted if the organization resists full encryption.

dan munro
Guest

Anshu – they resist because absent a national standard – it’s not in commerical interests to pay for the size and scope of that software change without industry agreement. I’ve long argued that it’s not a technical challenge – it’s a business one – and the for-profit stakeholders (large, incumbent software houses in slugfest competition with each other) can’t agree to one. This is why we have national bodies to create standards, like voltage – and which side of the street to drive on. Left to commercial interests – you get iOS v. Android v. Blackberry v. Microsoft every time.… Read more »

anshu sharma
Guest

Dan: I concur that its technically feasible. But I don’t understand fully why the healthcare companies won’t want a national identifier? After all, they already use one (SSN). Other than the one time cost, its not hugely expensive relative to all the other costs. There may even be some savings longer term. Why do they resist?

dan munro
Guest

Adrian – totally agree – but as long as we continue to use permanent identifiers (SS# and DoB) and things like logins/passwords (the most popular still being 123456 and password) – we’re all at significant/quantifiable medical and financial risk. Like you – I’m committed to change – but it is definitely an uphill battle (of Sisyphean proportions). Rick Scott (Governor of Florida) said it best: “How many businesses do you know that want to cut their revenue in half? That’s why the healthcare industry won’t reform the healthcare industry.” Now many will argue that Rick Scott (founder of Columbia –… Read more »

Anshu Sharma
Guest

The Social Security Number being used as a default identifier is definitely a huge problem. My Bank A/C# is not SSN and yet I can uniquely pass my info to you to send me money. Why can’t we do the same with health data?

Using SSN is the laziest, easiest way to deal with identifiers. There is technical solutions to this except healthcare companies have so far not adopted these for some reason (why bother?).

dan munro
Guest

Anshu – we can absolutely build a National Patient Identifier. In fact, HIPAA had that baked into the original legislation! I wrote about that here: http://www.forbes.com/sites/danmunro/2014/03/16/who-stole-u-s-healthcare-interop/ It’s NOT a technical challenge – it’s a financial one – on the part of an industry that’s fully committed to protecting their revenue. Lot’s of blame to go around – but the “industry” lobbied (heavily) to defund HHS/ONC – and they succeeded. As a result – HHS/ONC is legally prohibited from “looking” at the problem – let alone implementing a solution. This is also why Fin/Svcs has such a huge advantage. Credit cards… Read more »

J.K. Wall
Guest

Anthem’s admission that it did not encrypt this database has, oddly, occupied everyone’s attention even after Anthem admitted to other things it did not do–which are far more relevant to whether the company could have prevented this attack. As I wrote about on Feb. 14, http://www.ibj.com/articles/51789, Anthem told its employer clients that it did not use multi-factor authentication throughout its IT systems (even though every ATM in America uses that concept and even though Medicare requires its use around all sensitive data) and it did not employ user behavior analytics. That second concept would have given Anthem a much better… Read more »

Fred Trotter
Guest

good points and thanks for the links to more information!!

J.K. Wall
Guest

Thanks a lot, Fred. And thanks for your article that kicked off these lively discussions. 🙂

dan munro
Guest

Adrian – because we “stripped” out national patient identifiers when HIPAA was first passed. As you know – the P in HIPAA stands for portability – not privacy. To accommodate that “portability” (and safety) – HIPAA was supposed to deliver a national patient identifier – but it got de-funded. As it is today – HHS/ONC is legally prohibited from even LOOKING at instituting a national patient identifier – even though they recognized the huge value and instituted one for providers. Absent an HHS/ONC effort – the default is Social Security #. In a paper-world – that actually had some safety… Read more »

Adrian Gropper, MD
Guest

Dan — Identity is about people, not patients. It is not healthcare-specific. What is healthcare-specific is third-party payment based on secret contracts between private payers and private providers. Hence your quip about “financial incentive”. Whether it’s interoperability or security, the unique structure of US healthcare has forced us into hoping that regulations by HHS/ONC will solve obvious market failure. Five years and $30 Billion later, it’s time to reconsider that approach. What’s $30 B in a market that’s wasting $1000 B per year? As far as I know, the only place that is seriously looking at secure and privacy-preserving patient… Read more »

dan munro
Guest

All – one thing that the industry needs to rally around is to stop the default practice of using permanent numbers (like SS#) for patient data. We adopted an NPI for providers – it’s time to adopt one for patients. HIMSS calculated that 18% of medical errors in hospitals is the result of mis-matched patient ID’s. Everyone loves the promise of big data/analytics – and it’s fun to work in that exciting tech domain – but let’s get the priorities right. Some of this is *really* basic/fundamental stuff – it’s been there for decades – and we can/should just fix… Read more »

Adrian Gropper MD
Guest

Dan — Patient Privacy Rights agrees with the need for privacy-preserving and safer patient identifiers. Why is healthcare the only major industry to use “patient matching” instead of voluntary unique IDs?

Adrian Gropper MD
Guest

Fred, I wonder if your perspective is colored by your passion as a data scientist? That hardly matters in this particular case because hacking is an equal opportunity menace but it does provide some insight into what I have come to notice as three increasingly polarized perspectives on (big) health data: research, clinical, and consumer. Encryption stands to hinder “efficient” research. Encryption, to the extent it leads to stronger accountability, is somewhat threatening to clinicians. On balance, it’s more of a nuisance than a duty. To consumers, encryption is like hand washing, a sound practice and a show of respect.… Read more »

dan munro
Guest

Adrian – I don’t fault Fred directly – it’s a systemic problem. It’s *so* much more fun, sexy and exciting to deal with silicon valley “new.” As a computer scientist myself – I’ve seen this firsthand with lots of “digital health” solutions. It’s fun to “imagine,” and “dream” everything new – but that’s also why top companies (the one’s that really *could* drive change) aren’t remotely interested. Here’s a quote from Sergey Brin: “Generally, health is just so heavily regulated. It’s just a painful business to be in. It’s just not necessarily how I want to spend my time.” So… Read more »

Fred Trotter
Guest

I have apparently failed to communicate the points in my previous article well. I had hoped to contrast two oversights that the mainstream press was making in covering the Anthem hack. The first being the knee-jerk reaction that mere encryption at rest is somehow protective against the type of hack that Anthem experienced, which it clearly isnt. The second point was that the NSA, by continuing to place energy in “attacking” our nations “enemies” with computers, was implicitly under-investing in helping organizations like Anthem protect themselves adequately. I tried to make some more subtle points too, but lets take a… Read more »

dan munro
Guest

Fred – I agree – but the way the article was written begged for the rebuttal. We ALL need to endorse/support a “culture of security.” That doesn’t mean that encryption is always good – or required – but it does mean that more effort is absolutely required on the part of BIG institutions to protect our data. In Anthem’s case – there’s a pattern here. If you look back in the records – this wasn’t the first (and likely won’t be the last) time that Anthem was breached. Anthem (formerly known as Wellpoint) paid HHS $1.7M in 2013 for leaving… Read more »

Scott Briggs
Guest
Scott Briggs

An excellent reply to Fred Trotter’s less than convincing argument for not encrypting patient data. I worked in financial services for several years at one of the biggest global banks in the world and we figured out how keep the business going after encrypting data both at rest and in transit. The federal reserve seems to be doing just fine with exchanging encrypted data with its member banks as well. Most laptops in use with sensitive data utilize full-disk encryption and the sun continues to rise day after day. However, as Mr. Munro points out, the most appalling aspect of… Read more »

dan munro
Guest

Fred is technically correct – the Anthem breach didn’t happen because the data was un-encrypted – but that’s no excuse not to embrace a culture of security. Encryption may or may not be appropriate in every circumstance, but the networks today are wide open. It’s not that the door is unlocked – or open – it’s that there’s no door at all.

civisisus
Guest
civisisus

Dr Palmer, pay attention to Dr Gropper. He knows something about his subject. You do not.

My feeling is that no one is paying attention to the area in which we’re likely to find the most meaningful “solution” to health care data security, which is to punish the crap out of anyone using any personally identifiable data in anything that hints of a discriminatory fashion.

Sure, tech wizards should do what they can to thwart snoops, snitchers, snatchers, and other data-filching creeps. But damage happens when people USE filched data in noxious ways.