What Anthem Taught Us About Monitoring Information Security

In late January, Anthem announced that it had been breached, compromising data from 80 million people. It is the largest publicly-disclosed breach of a healthcare company.

Although Anthem’s network was initially believed to be breached in January, Brian Krebs reported that the breach could have started back in April of 2014. Krebs also said the attack included a phishing campaign in May of 2014.

No matter when or how a company discovers a breach (through its own work or a third party like the FBI), it’s important to act quickly in order to limit the damage caused by the attack. Damage control is an important element of information security.

The Healthcare Industry’s Information Security Performance

As you can see in the table above, the healthcare industry is still behind Finance and Retail. It has the same rating as Utilities, and is just barely ahead of Government. (Healthcare was also struggling in a BitSight Insights report published last May.)  Although our ratings are not predictive, we do believe that poor security performance is an indicator of greater security risk and should be cause for concern.

Watch BitSight Executive Vice President, Tom Turner, speak about the security performance of the healthcare industry in this CBS Evening News piece.

What can Vendor Risk Managers Learn from the Anthem Breach?

There are two takeaways from Anthem’s breach that vendor risk managers should keep in mind as they continuously monitor their own security risk posture.

1. Continuous monitoring of your security performance, and that of third parties you share sensitive information with, can be invaluable for detecting and preventing major security incidents, and also minimizing the damage when a successful breach occurs. Anthem’s network was compromised for ten months before the breach was discovered. Not only did this put their data at risk, but companies who shared network access with Anthem may also have been exposed.

2. Employee education about security threats, especially how to identify and avoid falling victim to spear phishing campaigns, should be a top priority. As discussed in this Credit Union Info Security article, several recent breaches have started as the result of successful spear phishing campaigns targeting employees. To protect your customers and partners, organizations should also make sure their Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records are configured properly, so attackers can’t use your domain to make their phishing emails appear to be legitimate. As Dave Jevans, co-founder of the Anti-Phishing Working Group said in the above mentioned article, "In my view, there is no credible reason why anybody internal to the company should receive e-mails claiming to be from the company with 'from' addresses that were sent from an external server...The use of SPF [sender policy framework] ... on your e-mail server, so that all outgoing e-mail is authenticated and also all inbound e-mail is authenticated and checked, particularly from your own domain, should be in place."