The Anthem Breach: HIPAA, and What's Known So Far
The breach of over 80 million records was announced late last night by “Anthem”, the United States’ second largest health insurer. While their electronic health records are not expected to have been breached, what the attackers gained access to may have been even more valuable. They managed to gain access to over 80 million records including information like names, birthdays, SSNs, addresses, phone numbers, email addresses, and employment information. Forget credit card fraud, there are mortgage brokers that ask for less information than that!
Fortunately, Anthem President and CEO Joseph Swedish announced by email that they would “individually notify current and former members whose information has been accessed… (and) provide credit monitoring and identity protection free of charge so that those who have been affected can have piece of mind..."
That’s just the way breaches seem to go these days. An high ranking representative finishes their meetings with their security consultants, PR firm, and legal team, then goes public, announces a breach, and in the same sentence offers complimentary credit and identity monitoring. Every time a substantial data breach occurs though, someone always has to play the blame game. “Company A’s IT security wasn’t compliant with HIPAA. Clearly they should have fixed X and prepared for Y…” Well, I don’t believe approaching these sort of issues from that angle is productive. Security is always fallible and *stuff* happens.
If you want to blame something, blame the reliance industries currently place on security regulations. Regulations are not, and have never been an absolute solution. A chef doesn’t make delicious food because their restaurant passed a health inspection. The health inspection is there to make sure that the food (probably) won’t kill anyone. Unfortunately, in many industries that deal with IT security, people throw around the types of compliance standards they meet like it’s some sort badge of honor. It’s not. If anything, it’s just an acknowledgement that you’re not utterly incompetent. If you only judge a breached business by whether it was compliant or not, you’re asking the wrong questions.
Little has been done so far to address whether or not Anthem was HIPAA compliant, but there’s so much more to IT security than those paint-by-the-numbers security guidelines. The key thing about IT security is that you can never eliminate the risk, you can only mitigate it. It’s easy to fall down the rabbit hole and make statements like: “If Anthem was HIPAA compliant, then HIPAA is not a strong enough standard.” or “If they weren’t HIPAA compliant, then the standard was not enforced strongly enough.” but again, these are the wrong sort of questions. The only meaningful question that should be asked is: Could this breach have been reasonably avoided? With the information currently available, there’s no answer to that question.
If you think about it though, that’s IT security in a nutshell. There are virtually no absolute truths in the field of IT security. The only absolute is the absolute possibility that a system could be breached. P(Breach) ≠ 0. If someone wanted to dedicate enough resources, they could breach any system. To combat this, those in IT security must follow a constant process of checking and confirming their systems are as they should be.