Anthem hack reveals limits of voluntary cyber frameworks
Editor’s note: This story has been updated to include additional commentary from U.S. Chamber of Commerce Vice President of National Security Ann Beauchesne.
Just hours after Senate lawmakers voiced concerns about the efficacy of the voluntary cybersecurity framework endorsed by the White House and major industry groups, the nation’s second largest health care insurance provider and supporter of voluntary industry standards announced it had become the latest victim of a massive data breach.
Anthem Inc., formerly known as WellPoint Inc., announced Wednesday that hackers had compromised as many as 80 million customer records in what the company called a “very sophisticated” cyber attack. “These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data,” Anthem’s President and CEO Joseph Swedish said in a statement posted on the company’s website. “Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.”
The incident, which analysts fear could be one of the largest data breaches in the history of the health care industry, raises serious questions about the usefulness of voluntary cybersecurity standards, such as the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity — the centerpiece of the Obama administration’s national cybersecurity strategy.
FedScoop has learned that Anthem Vice President of IT Security and Chief Information Security Officer Roy R. Mellinger sits on the board of directors of the Health Information Trust Alliance, known as HITRUST, which established a voluntary cybersecurity framework for the health care industry known as the Common Security Framework. In addition, the CSF “harmonizes the requirements of existing standards and regulations,” such as the NIST framework, according to the HITRUST website.
“Analysis of the NIST Cybersecurity Framework indicates the HITRUST Risk Management Framework – consisting of the CSF, CSF Assurance Programs and supporting methods and tools – are a comprehensive and specific model implementation of the NIST Cybersecurity Framework for the healthcare industry,” the alliance stated in response to the release of the NIST framework last year.
As news of the breach broke Thursday morning, White House Cybersecurity Coordinator Michael Daniel was speaking during a webinar sponsored by Bloomberg Government. While he said the occurrence of “yet another intrusion of this size … was quite concerning,” Daniel declined to comment on the breach or the implications it might hold for the administration’s strategy.
FedScoop reached out directly to HITRUST and the Department of Homeland Security for comment but did not receive a response by press time.
Philip Casesa, director of IT and service operations at IT education nonprofit (ISC)2, said voluntary frameworks like the NIST cybersecurity guidelines are just a series of best practices for industries and that such efforts should be applauded. “It does raise the bar for the expected standard of due care for participating organizations,” Casesa said. “The problem is that even best practices are no guarantee of protection from a breach — it just reduces likelihood. The complexities of systems and the sophistication of attackers make any assurance of complete safety due to implementation of a security framework to be a foolish brag.”
One of the positive aspects of the Anthem incident is that the company discovered its own breach and seems to have followed appropriate incident response steps, Casesa said. “In many cases, the companies are told about a breach by outsiders once the data is hitting the black market. This means that security is not a complete afterthought and they do have the monitoring and response procedures in place to react — it just wasn’t enough to fully protect the data this time.”
In a letter to the Federal Trade Commission Thursday, National Consumers League Executive Director Sally Greenberg called on FTC Chairwoman Edith Ramirez to convene a workshop focusing on the growing problem of data breaches and the efficacy of voluntary standards.
“The goal of such a workshop should be to create a record that the Commission can use to understand how well existing voluntary guidelines, self-regulatory regimes and cybersecurity technologies are working to protect consumer data,” Greenberg wrote. “The event would also assist the Commission to develop guidance for businesses and other entities on how comply with Section 5 of the FTC Act by better protecting their customers’ data.”
Just hours before news broke of the Anthem breach, members of the
Senate Commerce Committee challenged a panel of public and private experts Wednesday on whether the NIST cybersecurity framework does enough to protect the nation’s critical assets and infrastructure.
“I believe there needs to be greater government direction, legislative involvement, for the moment,” Sen. Richard Blumenthal, D-Conn., said.
Sen. Bill Nelson, D-Fla., the committee’s ranking member, said while he approves of NIST’s work, he is troubled by the lack of information detailing how many companies have adopted the guidelines the framework sets forth. Nelson pushed Ann Beauchesne, vice president of the U.S. Chamber of Commerce’s National Security and Emergency Preparedness Department, to detail how the framework is being used.
“How can you say that everything’s working, as you testified?” Nelson asked Beauchesne after she said the framework’s rollout and development have been a success.
“Many organizations—public and private—should use the framework because it’s the smart thing to do from a risk management standpoint,” Beauchesne told FedScoop. “However, nearly every organization in America could be using the framework, yet they would still be unable to prevent most skilled criminal gangs and nation states from breaching their defenses,” she said.
According to Beauchesne, organizations require layered defenses. “Blaming the victims of cyberattacks or the framework itself misses two important points: Policymakers should devote their time and attention to helping U.S. organizations improve their cybersecurity posture and deterring bad actors,” Beauchesne said. “American officials and the private sector need to develop and unite behind a workable cybersecurity deterrence strategy, which the United States lacks today.”
Ivan Shefrin, vice president of Security Solutions at cybersecurity firm TaaSera Inc., said voluntary frameworks appear to work well on face value but much more needs to be done to have a real impact on cybersecurity. “Given the overwhelming emphasis of such standards on preventing security breaches, rather than on responding to them, I expect only incremental progress from such an approach,” Shefrin said. “What’s needed is to augment the HITRUST framework to shift focus from standards and requirements focused almost exclusively on breach prevention, and broaden them to include detection and response once cyber criminals penetrate and take hold inside the network perimeter.”
Cris Thomas, a cybersecurity strategist at Tenable Network Security, said there is the possibility that while the Anthem incident may have been a targeted attack, it could be the first in a string of similar attacks targeting the health care sector. “I’m also curious to know what [indicators of compromise] HITRUST is basing its decision not to issue an alert on,” Thomas said. “While the methods in the attack may have been specifically targeted at Anthem, it is likely that the same criminal group will target other medical records with similarly specific attacks.”
“There are some basic practices that we need all organizations to be following in cyberspace in order to actually raise the level of cybersecurity,” Daniel said. “It is in everybody’s interest to actually be good at cybersecurity.”