As you may have heard already, Anthem Inc., the second-largest healthcare insurer in the US, announced on Wednesday that it was cyber attacked. Medical and personally identifiable information (PII) of 80 million customers and employees of the insurance colossus were potentially exposed, according to the Wall Street Journal (http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720), which could make this the largest healthcare breach ever.
What is even more disturbing is the suspected motive behind the breach. According to BloombergBusiness (http://www.bloomberg.com/news/articles/2015-02-05/signs-of-china-sponsored-hackers-seen-in-anthem-attack), Chinese government-sponsored hackers may have originated the attack to get detailed health information on employees of US defense contractors and others in sensitive roles that could then be used to blackmail them into revealing national defense intelligence.
Despite the aim appearing at this point to be primarily about espionage, rather than monetary gain, it is still possible that those who accessed the data could use it to commit bank and credit card fraud.
Krebs on Security (http://krebsonsecurity.com/tag/anthem-breach/) revealed the attack was actually uncovered by Anthem, which is a departure from the normal course of breaches, in which the compromised firm isn’t aware an attack occurred until a customer, vendor, or other third party tells them.
The legal fallout has already started. BloombergBusiness reports (http://www.bloomberg.com/news/articles/2015-02-06/anthem-sued-in-california-by-consumer-over-massive-data-breach) that one California woman filed a lawsuit against Anthem just one day after the breach was made public.
There is still a lot to be learned in the coming days about the attack, but there are some lessons to learn from this and other breaches:
(1) Your firm has network security that is probably significantly less sophisticated than Anthem’s, and yet this giant corporation’s defenses were successfully defeated. No matter how robust your security, you are still vulnerable.
(2) Cyber attacks come in all shapes and sizes. The Anthem attack was huge, but there are smaller attacks happening all the time on firms that have highly-valuable medical, financial, and PII data, albeit in smaller quantities. Your firm is almost certain to have some amount of this data, even if it is just on employees. Additionally, there is probably business-sensitive information on your network that competitors would love to steal.
(3) Breaches are expensive to overcome. Anthem will probably end up paying in the tens or hundreds of millions of dollars to repair this breach. But even attacks on a small to medium sized business can have staggering financial consequences, because the business will pay for costs of computer forensics experts to stop the intrusion and figure out what data was exposed, civil and regulatory agency fines and penalties, breach notification to the victims, lawsuits, loss of income due to business interruption and reputation damage, etc.
The bottom line is that you need to think soberly about your business’s digital defenses. As we have discussed before, there is a whole host of things you can do to shore up network security, but there is no quick fix and this requires resolve and the right mindset from the CEO to the hourly employees.
Additionally, if you don’t have network security and privacy insurance, also called “cyber insurance,” then you should get it. Cyber coverage won’t solve your security issues, but it will make it much less painful in the event of a breach.
If you would like to know more about IT security implementation or cyber insurance, please contact us. We can help your company with both.
Sincerely,
Steve