|
Encrypted data is too difficult to access! |
Chris Katko
Member #1,881
January 2002
|
http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560 Quote: Anthem Inc. stored the Social Security numbers of 80 million customers without encrypting them, the result of what a person familiar with the matter described as a difficult balancing act between protecting the information and making it useful.
Quote: Scrambling the data, which included addresses and phone numbers, could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers, that person said.
Quote: Is turning a corporate network into an electronic Fort Knox [by using the worlds simplest and obvious security policy] worth the potential cost?
-----sig: |
furinkan
Member #10,271
October 2008
|
Obviously the person at Anthem (or wherever) is an incompetent twat, and needs removal. EDIT: Also, wish I could read the article... nice paywall WSJ. |
Chris Katko
Member #1,881
January 2002
|
furinkan said: Also, wish I could read the article... nice paywall WSJ. B.S. I saw it without one! Douchebags! If you come from Google news, it doesn't show it! Quote: Anthem Inc. stored the Social Security numbers of 80 million customers without encrypting them, the result of what a person familiar with the matter described as a difficult balancing act between protecting the information and making it useful. Scrambling the data, which included addresses and phone numbers, could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers, that person said. The risks became clear last week, when Anthem discovered that hackers had broken into the database and made off with information on tens of millions of consumers, likely making it the largest computer breach disclosed by a health-care company. Because the data wasn’t encrypted, it would be easily readable by hackers. The company believes a hacker group used a stolen employee password to access the database. That storage decision has made the country’s second-largest health insurer the latest poster child for a continuing debate in executive suites: Is turning a corporate network into an electronic Fort Knox worth the potential cost? MORE Experts on the Anthem Hack: Kaspersky Lab’s Patrick Nielsen There is no evidence yet that identity thieves are using the data stolen from Anthem, it said. On Thursday, investigators began to focus on links to a group in China. Although the investigation remains in its early stages, the Anthem hack relied on malware and tools that have been used almost exclusively by Chinese cyberspies, investigators said. “Chinese laws prohibit cyber crimes of all forms,” Chinese Embassy spokesman Zhu Haiquan said. “Unfounded hypothesis and jumping to conclusions is irresponsible and will be counterproductive to address these issues.” Employers and government agencies “require us to maintain a member’s Social Security number in our systems so that their systems can uniquely identify their members,” Anthem spokeswoman Kristin Binns said. Ms. Binns said Anthem encrypts personal data when it moves in or out of its database but not when it is stored, which is common in the industry. “We use other measures, including elevated user credentials, to limit access to the data when it is residing in a database,” she said. Anthem said it is likely that ‘tens of millions’ of records were stolen. ENLARGE Adam Greene, a privacy attorney with the law firm Davis Wright Tremaine LLP and former official in the U.S. Department of Health and Human Services, said encryption isn’t a cure-all for data breaches. “At some point, that information is going to be used in an unencrypted state and if a hacker has access to it at that point, the information could be exposed,” Mr. Greene said. Last month, New Jersey Gov. Chris Christie signed a law requiring health insurers operating in the state to encrypt client information, including Social Security numbers, driver’s license numbers, addresses and identifiable health information. The law was prompted in part by a breach of 840,000 individuals’ information from Horizon Blue Cross Blue Shield of New Jersey in 2013, following the theft of two laptops containing unencrypted data. Anthem doesn’t sell plans in New Jersey. Health insurers don’t always encrypt members’ data, and aren’t required by the federal Health Insurance Portability and Accountability Act to encrypt data. Under HIPAA, doctors, hospitals, health plans and others must “address” encryption in their operations, but don’t have to scramble data if they determine doing so would impose an unreasonable burden, the likelihood of disclosure is low and they have implemented alternative security measures. Mr. Greene, the privacy attorney, said repeated breaches show that the risk of disclosure isn’t low. Health and Human Services’ Office for Civil Rights, which enforces HIPAA, is urging providers and insurers to encrypt as much data as possible. The office didn’t respond to a request for comment on Thursday. The office has imposed penalties or reached settlements in 24 data-breach cases in recent years, including two in April 2014 involving lack of encryption. Concentra Health Services unit of Humana Inc. agreed to pay $1.7 million after an unencrypted laptop was stolen from one of its facilities. The same month, QCA Health Plan Inc. of Arkansas agreed to pay $250,000 to settle potential HIPAA violations after an unencrypted laptop containing information on 148 individuals was stolen. HHS’s Office for Civil Rights said at the time: “Our message to these organizations is simple: encryption is your best defense against these incidents.”
-----sig: |
MiquelFire
Member #3,110
January 2003
|
I sometimes get hit with a paywall on WSJ even when the reason I got the link was from Google News (as a result, my front page is set to NEVER show me articles from them) --- |
Gideon Weems
Member #3,925
October 2003
|
In some comment section somewhere, someone mentioned something interesting. Forgive me for not remembering the legal terminology: When major data breaches happen, data-holding companies are prosecuted for "whoops-a-daisy!" crime, but the role of technology in society has changed enough for them to now be prosecuted for "reckless" crime. The fines are a lot more serious for the latter, and it's more a matter of time before some brave lawyer steps up to the plate and sets a precedent. |
Chris Katko
Member #1,881
January 2002
|
I want to know what the hell the justice department is doing when these things happen. One guy downloads some pictures he shouldn't have, and he goes to jail. A company essentially GIVES away millions of sensitive financial and protected health information and nothing happens. -----sig: |
furinkan
Member #10,271
October 2008
|
Thanks for the post! Now I can reed! Anthem Lady said: “We use other measures, including elevated user credentials, to limit access to the data when it is residing in a database,” I bet they use passwords, too. Again, they clearly have no clue. |
|