X

Anthem's stolen customer data not encrypted

But under federal law, health insurance companies don't have to encrypt user data.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
3 min read

It's up to each health insurance company to decide how to best protect customer data. CNET

Health insurer Anthem says the hacked database containing the personal information of 80 million people wasn't encrypted. But here's the catch: the company was not required to do so.

On Wednesday, Anthem revealed that it had been hit by hackers who broke into servers and stole the personal information of as many as 80 million current and former members and employees. The company's CEO, Joseph Swedish, said that this "very sophisticated external cyberattack" gained access to names, birth dates, member IDs, Social Security numbers, addresses, phone numbers, email addresses and employment information. However, no evidence has emerged that credit card or medical records were compromised.

Companies that follow sound security policy normally encrypt certain customer data stored on their servers. Encrypting the data makes it more difficult, but not impossible, for hackers to view or sell the information they've stolen. But Anthem didn't follow such guidelines in this regard. Why not?

Under the federal Health Insurance Portability and Accountability Act (HIPAA), health insurance companies are not required to encrypt the data stored on their servers. The HIPAA ruling recommends using encryption if the health insurer believes it's an appropriate measure to mitigate risk. But lacking a specific requirement essentially leaves it up to each company to decide how to protect its data.

Anthem spokeswoman Kristin Binns told The Wall Street Journal that the company encrypts personal data when it's moved in or out of the database but not when it's stored, a practice she said is common in the industry.

"We use other measures, including elevated user credentials, to limit access to the data when it is residing in a database," Binns added.

Encrypting the data would better protect it, but doing so would also pose a challenge to the health insurer. Specifically, encryption would make it more difficult for Anthem employees to track health care trends or share data with health care providers and state government, "a person familiar with the matter" told the Journal.

However, would encrypting the data have prevented the data from being stolen? No, says a spokesperson for Anthem.

"Anthem's database was accessed after bypassing our security protocols," the spokesperson told CNET. "Because an administrator's credentials were compromised, additional encryption would not have thwarted the attack."

So if encryption alone can't always prevent data theft, companies are faced with an even bigger challenge of ensuring that every possible security measure is implemented. But we face a world in which the hackers are often more clever and cunning than the security professionals who have to protect customer data.

In an article published on Ars Technica, Steven Bellovin, a professor in the computer science department at Columbia University, said that sensitive databases are always in use, which means they're continually being decrypted. That also means the encryption key is available in memory or elsewhere for savvy hackers to seize. The problem lies more with how access to the database is controlled, Bellovin argued.

"Protecting large databases like Anthem's is a challenge," Bellovin said. "We need better software security, and we need better structural tools to isolate the really sensitive data from average, poorly protected machines. There may even be a role for encryption, but simply encrypting the Social Security numbers isn't going to do much."

The attack against Anthem has triggered an investigation by several US states, Reuters reported on Friday. Attorneys general from Connecticut, Illinois, Massachusetts, Arkansas and North Carolina are now looking into the matter. Connecticut Attorney General George Jepsen has already requested that Anthem provide details about its security measures, the events that led to the discovery of the hack and the steps the company is taking to make sure this type of attack doesn't happen again.

The FBI is looking into the possibility that the attack came from overseas, possibly China, sources told CBS News. On Wednesday, the FBI confirmed that it is investigating the hack but didn't reveal any specific suspects.

"As far as China being involved, I don't know," FBI spokesman Paul Bresson told Reuters. "I don't think we know yet. Our investigation is ongoing."

However, on Thursday, investigators started looking at a group in China. The hack used malware and tools that are used almost exclusively by Chinese cyberspies, investigators told the Journal.