5 Things your Business can do to Avoid Becoming the Next Anthem

The Anthem hack was a breach of medical data held by Anthem Inc., a managed healthcare company based in Indianapolis, Indiana.

March 16, 2015 by Alex Collins, IT Services Consultant

5-things-your-business-can-do-to-avoid-becoming-the-next-anthemThe Anthem hack also shows that businesses need to do more to protect their customer data, especially in the healthcare sector where data privacy is regulated by the government. Strong IT services such as two-way authentication, encryption and regular server backups can help businesses secure their informational assets.

Anthem announced its data breach on February 4, 2015, when it disclosed that hackers had accessed data on its servers. This data includes personally identifiable information (PII) on 37.5 million customers, although the New York Times has reported that up to 80 million customers could be affected. The PII includes names, addresses, employment information and social security numbers. The breach extends to many of Anthem’s brands, including Amerigroup, Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Caremore, Empire Blue Cross and Blue Shield, and UniCare. The primary concern by IT support is that the hackers can use the PII to commit identity theft.

In light of the Anthem breach, here are 5 ways to better protect your company’s data.

  1. Two Factor Authentication


Two-factor authentication (2FA) is an IT security practice that uses two separate components to unambiguously identify a user. The most common example of 2FA is with ATMs, which require both a physical token (ATM card) and information (PIN) before users can access their account. 2FA would probably have prevented the Anthem breach by itself or at least greatly reduced its severity. The hackers might still have obtained administrative passwords through phishing schemes, but 2FA would have kept them from accessing PII without the administrators’ physical tokens.

  1. Additional Access Controls


Access control is any method that restricts a user’s ability to access information, whether by physical location or some other resource. Greater access control may have also helped prevent the Anthem breach, although the IT risk assessment still requires more details about how it was done. Digital certificates are a common way for organizations to establish better access control over their data. These electronic documents allow system administrators to easily set the criteria that users must meet before accessing data. Digital certificates are generally impractical to compromise through mere brute force.

  1. Principle of Least Privilege


The principle of least privilege means that the only people who should have access to a particular piece of data are those who actually require the information to do their job. The current information on the Anthem hack is that the PII was accessed with a stolen database administrator account. This principle of risk management dictates that only database administrators should have access to this type of account, which doesn’t appear to have been the case at Anthem.

  1. Data Segregation


Data segregation is the process of disconnecting key data sets from each other, which would have limited the value of obtaining the PII in the Anthem hack. Common strategies for segregating data include removing personal identifiers such as name, bank account number and social security number from a personal data record. Quasi-identifiers such as birth dates, gender and zip code may also be obscured as part of a data segregation effort.

  1. Encryption


Current reports indicate that the PII stolen in the Anthem hack was unencrypted. A hacker may have still been able to decrypt the data, although this would have required full administrator privileges. The fact that the data was stored in unencrypted form means that the data could be stolen by hackers with a much lower level of access.