Gartner Blog Network


What Healthcare needs to learn from Retail after the Anthem Breach

by Avivah Litan  |  February 7, 2015  |  2 Comments

It seems like every news analysis article on the Anthem healthcare insurance breach headlines that data encryption is the solution that will stop similar breaches in the future.

Too bad these commentators’ have such short memories and forget what’s happened in the retail industry where PCI rules enforcing data protection (e.g. encryption, masking or other techniques) for data at rest and data in motion over public networks has done virtually nothing to stop criminals from hacking large retail chains like Target, Home Depot, Staples etc. etc. etc. These large scale hacks have occurred after U.S. retailers and other payment card acceptors have spent tens of billions of dollars securing – and often encrypting – credit card data.

Even Anthem’s spokesperson said encryption would have done nothing to stop their data breach because the hacker came in through a privileged user account. Some security vendors have responded that encryption can be tuned to limit the amount of records that can be retrieved — but such limits are not imposed by encryption, they are imposed by access rights.

This is not to say that encryption doesn’t help. Data protection is an important component of a layered security strategy that includes;

a) Protecting data at rest

b) Protecting data in transit

c) Changing your environment – either logically or physically – as often as possible (using deception or deflection techniques)

d) context aware behavioral analytics

To simply call out that the Anthem breach could have been stopped by requiring encrypting data at rest is a knee jerk reaction that regulators and legislators are bound to latch on to. No doubt, congressional hearings and healthcare/insurance regulators will now spend countless hours devising and implementing laws that require healthcare data custodians to encrypt their data – which will only help defend against yesterday’s attacks.

We’ve learned that;

a) Criminals know how to access encrypted data BEFORE it is encrypted – which it always is at some point.

b) Criminals’ preferred modus operandi is to hijack existing privileged user accounts (which have access to otherwise protected or encrypted data) to gain access to the information they want. (This is what Anthem says happened in their breach).

c) If there are controls in an application e.g. metering data access, criminals will quickly learn what those controls are and get around them, for example by slowing down an attack and mimicking authorized human users. (See recent blog “Where have all our passwords gone” describing how the criminals have done this with increasingly-harder-to-detect automated attacks).

Instead of regulating and legislating around yesterday’s attacks, wouldn’t it be refreshing if we learned from the past mistakes of the PCI-governed retail sector? What we learned with Retail and credit card heists is that a layered security approach is always required because you can be sure the criminals can penetrate one or two layers, but penetrating three or four or five layers makes their jobs that much harder and time consuming.

More importantly, the retail and credit card industry learned that sensitive data should be useless if criminals manage to steal it. Even Visa and MasterCard have been touting this lesson for years.

Translate that over to healthcare and other sectors that handle sensitive customer data – What’s required in part is surrogate values (ala tokens) for social security numbers so the SSN numbers themselves are not required to uniquely identify a person or patient for all the myriad purposes that healthcare insurers and government healthcare programs like Medicare use them for.

To protect credit card numbers, Visa and MasterCard finally came up with a really good and cost-effective tokenization standard for credit cards that ApplePay is the first to use. The EMV token standard does a great job of protecting consumer credit cards from theft and reuse (though merchant requirements need more attention. See Gartner research note “Avoiding Pitfalls with Payment Security Technologies”). Why can’t the government skip ahead a few years and do the same for social security numbers?

Instead, I think all we have to look forward to is many more years of breaches against health care companies and other custodians of sensitive personal data. This will be followed by knee jerk regulatory reactions — one at a time — that put in place a series of patchwork security solutions which cost companies billions of dollars to comply with but which do very little to keep determined bad guys out.

Progressive companies realize that compliance doesn’t buy them security and will seek to implement progressive solutions – which typically are not the ones regulators enforce.

Category: 

Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio


Thoughts on What Healthcare needs to learn from Retail after the Anthem Breach


  1. MOST authentication techniques ARE powerless against valid credentials in the wrong hands. Therefore – even if the data were encrypted, it would still be vulnerable to someone who manages to get the credentials to access it in an unencrypted state and download it.

    So once the hacker is in, how do you stop them? You’re after the proverbial wolf in sheep’s clothing.

    The answer is to require an out-of-band, phone-based authentication post-login of sensitive events – or dual approval for some events – for example, launching a large query against a database and copying the result to “somewhere.” In financial services and e-commerce, it’s becoming more common to contact an end user out-of-band, via telephone call, SMS message, or secure messaging via a smart app to present transaction details and ask for confirmation. This workflow beats the wolf in sheep’s clothing, the imposter who has somehow obtained valid credentials.

    Network security architects have to consider post-login protections of this type. If they are unable to keep the imposters out, (multi-factor authentication, biometrics, etc. will keep them out, but are still too far from common…) finding ways to minimize the damage they can do once they get in is the next skirmish line. IF a hacker has sys admin credentials and IF all of your security is IN-BAND and no one gets out-of-band alerts for sensitive network activity, NOTHING stops a hacker from creating credentials for people who don’t even exist and giving them credentials.

    The key – from now until forever is going to be OUT-OF-BAND. IF hackers readily compromise your in-band credentials – and it certainly appears they can and do – your defense has to be out-of-band. One user with higher levels of privilege can initiate an activity – making a large DBMS query for instance – but a second administrator has to approve it, before the commands will execute. THAT could have saved Anthem, encryption or not.

    The upcoming RSA Conference will mark the 15th consecutive RSA Conference that Authentify has demonstrated two-factor authentication techniques that require a user to answer a telephone call or otherwise use a mobile smart device to confirm their login. That gives you a fail-safe which protects against session hijacking (also called man-in-the-browser). An attacker’s inability to answer or use the correct phone would have prevented the majority of the breaches we’ve seen in the last several years, probably including Anthem. Recall the CEO of Apple, Tim Cook, cited phone-based two-factor authentication as the protection that would have saved certain celebrities from having their private photos circulated on the Internet.

    Sony’s CEO is the latest C-level “victim” of a data breach. If you don’t want to be next, ask your CIO this question, “How can we stop a hacker that is already authenticated as an administrator inside our system?” And don’t take “that can’t happen” for an answer.

  2. […] cite à ce propos un article d’Avivah Litan, analyste chez Gartner. Mais sans en comprendre le sens : Litan n’est pas pour une approche […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.