Ridiculous Irresponsibility Facilitated Premera and Anthem Hacks

  • Who Cares About Security? Let’s Make Some Money
  • Gaping Security Holes? Okay, Give Us the Better Part of a Year
  • Anthem Doesn’t Need a Big Brother
  • Trust the Experts

Who Cares About Security? Let’s Make Some Money

As the public gradually gets more information about the breaches of the insurance outfits Anthem Blue Cross and Blue Shield and Premera Blue Cross – which involve the data of nearly 90 million people – it has become clear that security fell well behind profit as priorities of both companies.

As Dan Bowman of FierceHealthIT puts it, “Perhaps the most disturbing revelation of all is that, in both instances, neither entity appears to truly take security seriously.”

Premera was advised three weeks before the original invasion of its infrastructure in May 2014 that its security mechanisms were unacceptably bad (although they might have figured that out themselves beforehand if they had security experts on staff and the corporate accountability to listen to them). At that time, the federal HHS’s Office of Inspector General (OIG) sent a list of numerous weaknesses, including unsafe server setups and the elementary-school-level security snafu of software update delays, to the healthcare payer.

The OIG review was not just negative but expressed urgency, noting that “failure to promptly [emphasis mine and every reasonable person’s] install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached” – which of course the health plan firm could have learned from any introductory security textbook or possibly from their own children.

The government additionally warned the insurance company, headquartered in Washington, that it should replace any old and unsupported applications in order to avoid a criminal intrusion – which again was perhaps reiterated by one of the CEO’s (admittedly slightly precocious) 8-year-olds.

GapingSecurity Holes? Okay, Give Us the Better Part of a Year

Once the insurer found out that its infrastructure was inadequate – from the government, since it apparently doesn’t do much checking of its own systems – it set up a deadline to have everything fixed. What’s a reasonable amount of time to do something critical (such as, I don’t know, pay a claim or set up basic IT security mechanisms) that could easily – and did easily – result in identity theft for literally millions of people? Eight months should be fine.

Premera Blue Cross waited until the end of the year, December 31, to verify that its systems were safeguarded in the manner established by the OIG. A month following that, the company discovered that up to 11 million users’ accounts had been compromised, as reported by the Wall Street Journal.

Bottom line: Premera had bad security when the OIG started its audit, and if they had moved “promptly” and not “whenever you get around to it” (apparently what the executives thought they read), they might have ousted the attackers before they were able to fully penetrate the various pieces of their network.

Anthem Doesn’t Need a Big Brother

Anthem is continuing to argue that it knows what it’s doing even though it did not encrypt any of its stored data. The #2 insurer throughout the US, managing Blue Cross Blue Shield throughout 14 states, will not allow the federal government access to conduct risk assessments and check its servers following an enormously successful hack of its systems.

Previously, the company did not allow federal inspectors to check its protective mechanisms when it was audited in 2013, pointing to a purported company decision to disallow any outside organization from entering its back end – although they’re fine with letting hackers in there, apparently.

“Corporate policy is all well and good,” argues Bowman, “but it’s not going to mean squat to a consumer two years from now when Anthem’s complimentary credit monitoring wears off and the hackers begin wading through the treasure trove of stolen information.”

Bowman, whose own information was stolen during the breach, said that Anthem should at the very least bring in outside security professionals to determine if its environment is indeed HIPAA-compliant and safe for its users. And that advice comes from Shaun Greene, the COO of Utah-based Arches Health Plan. (In other words, some covered entities actually are interested in knowing that their systems are protected and not procrastinating anything when they know that something is wrong.)

Needless to say, these hacks are not in isolation. Community Health Systems of Tennessee was penetrated last year, probably by Chinese state-sponsored hackers as is believed the case with Anthem. Will these companies ever care about this issue? Probably not. That just doesn’t seem to be part of their “corporate policy.”

Trust the Experts

Even if you feel that your system doesn’t have any obvious loopholes such as patches that haven’t happened or software from the 1990s, the safest way for you to protect your users is to use a system that has been verified secure through numerous third-party certifications and audits. Get help today!

By Kent Roberts