The Wall Street Journal and Bloomberg news services have recently dedicated a column on cybersecurity breaches. This week it is Anthem. I am not sure if they are starting an informal cyber intelligence sharing service but, unlike like the DOW and Nasdaq indexes, the size of the cybersecurity breaches are going up with new 52 week highs.
Target stole the headlines for a few weeks and after losing $148 million in Cyberbreach related losses, losing their CIO, CEO but, they lured customers with deeper discounts. Sony became the topic of President Obama’s conversation and today, Sony’s CoChairman Amy Pascal took the fall from the recent hack even after using 4 smart phones as a communication tool after the breach.
Unlike Sony hack, we didn’t waste time to point at China as the culprit behind Anthem breach because unlike North Korea who is interested in Hollywood, Chinese hackers like to know about our health and maybe personal information to start an identity theft plague.“Chinese laws prohibit cybercrimes of all forms,” Chinese Embassy spokesman Zhu Haiquan said. “Unfounded hypothesis and jumping to conclusions is irresponsible and will be counterproductive to address these issues.” We also encourage original source of goods and not counterfeit ones.
“Cisco CEO John Chambers has warned that 2015 will be a worse year for hack attacks on businesses in a world where an increasing number of devices are connected to the internet.” There is no data center or network in the world that hasn’t been hacked. If you watched the number of attacks, they’re going up exponentially this year, this year’s going to be much worse than last year,” Chambers told CNBC at the World Economic Forum in Davos. He goes on to say the “The average attack, you get 90 percent of the data you want in like nine hours, and yet most of the companies don’t find out for three to four months,”
Bank of America Corp.’s cybersecurity team can spend as much as needed to protect the firm and its customers, Chief Executive Officer Brian T. Moynihan said. So, is the CEO sowing seeds that if a breach happens, he can say he did everything possible to help?
Anthem, which offers Blue Cross Blue Shield plans in California, New York and other states, said it doesn’t know precisely how many people may be affected. So far, it appears that the attack detected last week is the only breach of Anthem’s systems, and it isn’t yet clear how the hackers were able to obtain the identification information needed to access the database said Thomas Miller, the insurer’s chief information officer.
Let us take a look at the real numbers from Anthem breach assuming no personal health information is lost. According to reports 37 million Americans are currently insured by Anthem but, the federal law mandates insurance companies and healthcare providers to keep 6 years of patient data even if they left the system. So, numbers add up to 80 million or more, many of them who are not currently using Anthem.
I love the traders who assign financial value to a full set of medical information on a person for $40 to $50 on the street and a credit card number is worth $4 or $5. So, Target don’t sweat.
The impact of this breach will start sophisticated identity theft patterns which will haunt people for years. The other problem is the interconnection of our healthcare system. Anthem like any health insurer is possibly digitally connected to majority of hospitals, medical diagnostics companies, payroll companies, benefit providers, pharmacies which is a complicated digital ecosystem. An entry into the database of Anthem to steal crown jewels does not prevent the hacker to go into other weak links thus exposing personal data of more than 80 million Americans and other corporations.
The famous word encryption comes to play here. Scrambling of data like or masking data at rest. Unlike at retailers where Tokenization or changing digits of a credit card number which is only known to the card issuer, healthcare information is more complicated. As we know HIPAA regulation talks about encryption and deidentification of personal identifiable information but, it is not prescriptive. The encryption is needed but, not practical in many business scenarios. Insurance companies shares data with so many partners to service a patient that encryption may not be practical for them.
What we are seeing is a fundamental breakdown in the digital security with rouge nerds prying on us hiding behind some nation. I am not proposing regulation is the answer.
I would love to hear people’s comments on how to look at this problem holistically and a healthy debate, business leaders can think about!