It seems like every news analysis article on the Anthem healthcare insurance breach headlines that data encryption is the solution that will stop similar breaches in the future.
Too bad these commentators’ have such short memories and forget what’s happened in the retail industry where PCI rules enforcing data protection (e.g. encryption, masking or other techniques) for data at rest and data in motion over public networks has done virtually nothing to stop criminals from hacking large retail chains like Target, Home Depot, Staples etc. etc. etc. These large scale hacks have occurred after U.S. retailers and other payment card acceptors have spent tens of billions of dollars securing – and often encrypting – credit card data.
Even Anthem’s spokesperson said encryption would have done nothing to stop their data breach because the hacker came in through a privileged user account. Some security vendors have responded that encryption can be tuned to limit the amount of records that can be retrieved — but such limits are not imposed by encryption, they are imposed by access rights.
This is not to say that encryption doesn’t help. Data protection is an important component of a layered security strategy that includes;
a) Protecting data at rest
b) Protecting data in transit
c) Changing your environment – either logically or physically – as often as possible (using deception or deflection techniques)
d) context aware behavioral analytics
To simply call out that the Anthem breach could have been stopped by requiring encrypting data at rest is a knee jerk reaction that regulators and legislators are bound to latch on to. No doubt, congressional hearings and healthcare/insurance regulators will now spend countless hours devising and implementing laws that require healthcare data custodians to encrypt their data – which will only help defend against yesterday’s attacks.
We’ve learned that;
a) Criminals know how to access encrypted data BEFORE it is encrypted – which it always is at some point.
b) Criminals’ preferred modus operandi is to hijack existing privileged user accounts (which have access to otherwise protected or encrypted data) to gain access to the information they want. (This is what Anthem says happened in their breach).
c) If there are controls in an application e.g. metering data access, criminals will quickly learn what those controls are and get around them, for example by slowing down an attack and mimicking authorized human users. (See recent blog “Where have all our passwords gone” describing how the criminals have done this with increasingly-harder-to-detect automated attacks).
Instead of regulating and legislating around yesterday’s attacks, wouldn’t it be refreshing if we learned from the past mistakes of the PCI-governed retail sector? What we learned with Retail and credit card heists is that a layered security approach is always required because you can be sure the criminals can penetrate one or two layers, but penetrating three or four or five layers makes their jobs that much harder and time consuming.
More importantly, the retail and credit card industry learned that sensitive data should be useless if criminals manage to steal it. Even Visa and MasterCard have been touting this lesson for years.
Translate that over to healthcare and other sectors that handle sensitive customer data – What’s required in part is surrogate values (ala tokens) for social security numbers so the SSN numbers themselves are not required to uniquely identify a person or patient for all the myriad purposes that healthcare insurers and government healthcare programs like Medicare use them for.
To protect credit card numbers, Visa and MasterCard finally came up with a really good and cost-effective tokenization standard for credit cards that ApplePay is the first to use. The EMV token standard does a great job of protecting consumer credit cards from theft and reuse (though merchant requirements need more attention. See Gartner research note “Avoiding Pitfalls with Payment Security Technologies”). Why can’t the government skip ahead a few years and do the same for social security numbers?
Instead, I think all we have to look forward to is many more years of breaches against health care companies and other custodians of sensitive personal data. This will be followed by knee jerk regulatory reactions — one at a time — that put in place a series of patchwork security solutions which cost companies billions of dollars to comply with but which do very little to keep determined bad guys out.
Progressive companies realize that compliance doesn’t buy them security and will seek to implement progressive solutions – which typically are not the ones regulators enforce.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.