Home » Readers Write » Currently Reading:

Readers Write: Fact and Fiction About Anthem’s Breach

February 9, 2015 Readers Write 10 Comments

Fact and Fiction About Anthem’s Breach
By John Gomez

Anthem has quickly created a surge of inquires across the wire, leaving many CIOs wondering how they can keep ahead of the cyber-security challenges that continue to evolve. I suspect no one is surprised to learn about the existence and extent of the attack on Anthem. More than likely, many in our industry continue to wait for the “big one.” That in and of itself is a rather scary state of affairs. Most of us are not surprised and we don’t collectively believe this is as bad as it will get.

The Anthem breach is an ongoing criminal investigation led by the FBI with the assistance of FireEye and Mandiant, so nobody knows all of the details. As was the case with the Sony Pictures breach, sources will make statements without the evidence that only the FBI possesses. Here’s what we know today.

Anthem reported the breach publicly within eight days of discovery. Approximately 80 million customer and employee records may have been stolen, but the common thinking is that the actual number may be higher and that there is a high probability that other critical data was also compromised by the attackers.

The customer and employee data stolen was complete — name, home address, email address, date of birth, medical history, employer information, family relationships, and much more. That valuable information allows attacks to continue against the individuals whose information was compromised.

The concern with Anthem is that this is a move by a foreign state to amass profiles on individuals and use that information in future operations. That’s one theory, but equally likely is that the breach was profit driven since complete records are worth well over $100 on black markets.

Attribution — figuring out who did it — is one of the most difficult things to do in the world of cyber-forensics. Companies specialize in attribution, but their success rate is low, often less than 50 percent. The amount of computing power, resources, and advanced algorithms required to perform attribution at a higher level of success is mind boggling. While a theory exists as to who carried out the Anthem attack, it could be proved wrong as the evidence unfolds.

Current intelligence points to one of two groups with ties to China — Deep Panda and Axiom. Both groups have previously carried out verified attacks that had sophisticated intelligence-gathering objectives.

Deep Panda has developed a five-year strategic attack plan that includes objectives specifically focused on healthcare targets. Axiom has a specific and focused attack plan that includes government agencies, electronics and integrated circuit manufacturers, Internet-based services companies, software vendors, journalism and media organizations, NGOs, healthcare providers, biomedical device manufacturers, pharmaceutical companies, and academic institutions.

It appears that Anthem may have been compromised by parallel attacks. The first focused on employees with phishing attacks that allowed the attackers to deploy malware via their corporate email accounts. The second attack appears to have been via DNS compromises used to deposit malware.

Credible cyber-security operators rarely call an attack “sophisticated” or “advanced” unless they are trying to make headlines. Anthem’s attackers had a plan, were extremely patient, and were focused on their victim. Their attack was sophisticated and advanced, but due to tactics and practices, not because they used a new generation of attack technology. Anthem was mostly likely beaten by off-the-shelf technology and practices, the same techniques that attackers would use in penetrating any healthcare organization.

The preliminary investigation suggests that Anthem’s attackers used malware known as Poison Ivy or HiKit or some combination or derivative of those tools. Both malware applications are attributed to Chinese developers. Steps can be taken to determine whether an organization has been compromised by those tools, and if found, a cyber incident response team should be contacted immediately.

Anthem was tested for exploits by attackers over months or even years. Its employees fell for a phishing attack that compromised their machines. In parallel, perimeter systems were also compromised. Malware allowed the attackers to monitor network traffic, take over webcams, and capture confidential date over a long period. Some believe that Anthem was an attack pivot from which its clients or vendors could be compromised.

I suspect that we will learn that Anthem also had weak passwords (fewer than 15 characters), didn’t use dual-factor authentication, relied on third parties for DNS, and very possibly had its supply chain compromised.

Company executives can miss a few quarterly financial goals, run late on a few initiatives, and even run over budget a couple of times. But if they have a major breach, their career is over. Target’s CEO resigned after its breach and just last week the top film executive at Sony Pictures stepped down. I suspect we will see something similar at Anthem.

There is a saying in special operations: don’t be that guy. Don’t be the person who takes the easy road or embraces mediocrity. Get  mad and assertive about cyber-security. Rethink vulnerabilities, test systems, learn what you don’t know, share information with the community, and become vocal.  We have a choice — we can either wait to be attacked or we can decide that enough is enough.

John Gomez is CEO of Sensato of Asbury Park, NJ. Intelligence Analyst Laura Walker contributed to this article.

John will host a free, HIStalk-sponsored Q&A webinar on the Anthem breach on Friday, February 13 at 2:00 p.m. Eastern. 

HIStalk Featured Sponsors


Currently there are "10 comments" on this Article:

  1. Good summary John, but mediocrity is ramped in healthcare about cyber security and anyone who denies it is not telling the truth. Most organization don’t have the financial or personnel resources to stay ahead of the threats, and leadership is not willing to expose themselves to the C suite or their board about their weaknesses. It’s time for the industry to step up and get assertive beyond forming associations. It’s time to spend the money to improve or spend the money to pay the fines and lose your job. Right now, my perception is that it is a cost of doing business.

  2. John, Good article – scary but to the point. No one is talking about this in the c-suite …. always thinking it will happen to someone else….I doubt any CIO really understands this stuff…which is just as scary….

  3. HIPAA requires a risk management plan. Such plans would naturally lead to strengthened authentication, database encryption, and other technical measures, as well as non-technical measures such as improved administrative policies, anti-phishing training, and various assurance tests. This is not rocket science.

    So what we have here is likely the result of an ineffective risk management plan implementation. Typically, security and privacy are after-thoughts and not adequately funded even if the risk management plans identify what needs to be done. It is a willful management error.

    HIPAA has provisions that would heavily penalize companies that fail to protect the privacy of patient identifiable data. I hope those penalties are imposed on Anthem. If senior executives lose their jobs, too, so much the better. Until a heavy price is paid, predictably and repeatedly, effective health data security will be elusively optional.

  4. We all need to be prepared to address this with our Boards … guaranteed they will be asking questions in their next session!

    More importantly, we have a responsibility to our patients and staff members to be diligent in guarding their data. Anyone who states their security measures/profile is in good shape needs to watch out for the loose rock on the cliff that will lead to the tumble. The effort is never finished and we can never do enough. Without sounding like we are trying to scare our executive peers and the board, we have to let them know that these efforts are going to continue and our work with security will never be done.

    This one hit really big and close to home … I don’t think anyone believes ‘it can’t happen to me’ anymore!

    Be Safe!

  5. Until the C Level understands that protection (in its many forms) is directly linked to profit, and therefore requires a commensurate level of investment and commitment to success, than these types of breaches will continue.

  6. As long as the federal government keeps pushing things like MU and ICD-10, data security will never get the attention it deserves. Interoperability, population health, ACO…is a waste of money until this is fixed. Where will the next big breach be?

  7. @Kinda fonda wanda
    Really? ICD-10 and MU? The federal government pushes MU to account for incentivized money it gave out to make sure hospitals were implementing what they said they were going to spend the money on. Not an excuse.
    ICD10? You mean the standard the rest of the world has been using for years, but because our medical teams are sooo slow to change we haven’t adopted? Also not an excuse.
    Each hospital needs to adopt a cultural change to how IT is viewed and treated in order for security to be handled appropriately. Let’s not blame all the other work that we should have done years ago but continue to put off when we really all need to get our acts together.

  8. @scruff…MU and ICD-10 have eaten up so much hospital cash (and tax dollars) that could have been used for more investment in IT security. Most health systems would have implemented EMR’s without the incentives from the government…and they would have done it on their terms and timelines. If you think the MU incentives were well spent then I won’t waste my time trying to argue with you.
    BTW…the federal government can’t even deliver a letter across town without losing money and you want them to push incentives for healthcare…I think I know where the culture change needs to start.

  9. @Kinda fonda wanda
    I guess my point with meaningful use is that you only have to follow it if you want the incentives. If you want to move towards an EMR at the usual slow pace healthcare moves, then fine, but then you can’t use either as an excuse for IT security. Same goes with ICD-10. My company and I are billing only and are ready, willing and able. The only complaints I hear are from the doctors that don’t like getting trained. I have little to no sympathy for that either as we all have to learn and adapt. Again, not a reason to blame a delay in IT security.

    The culture change I’m discussing is the willingness to adopt technology in the healthcare field. I see it when working with other hospitals and listening to nurses and doctors. Some love technology and champion investment in it, while many others don’t. It’s those that don’t that often slow down adoption of new technologies or better standards such as ICD-10. Those entrenched in healthcare, most of whom probably don’t read this blog, need to understand and be interested in their IT teams and make sure appropriate dollars are invested for solid education and personnel in this area. I hear a lot of people at the C level say this is happening but there are far too many hospital server rooms in basements and broom closets that prove otherwise.

    If we want someone to blame for healthcare being 10 years behind the financial system, which by the way is still behind (i.e. chip enabled credit cards), then all we have to do is look in the mirror. The government may be everyone’s favorite scapegoat, but at the end of the day, it’s on you and me.

  10. Might I also add that a lot of the security tips pointed out are simple to implement. It takes only an IT director, CIO, or manager to fight entropy and get the staff to implement those changes. End users may complain, but entropy is no excuse either. The longer we wait, the worse it will get.

Founding Sponsors


Platinum Sponsors






















































Gold Sponsors












Reader Comments

  • @JennHIStalk: Ugh, what an anxiety-inducing, frustrating experience! I agree with your idea of the more appropriate "thank you for cho...
  • Vinnie whibbs: Thanks for reminding the readers that the most important thing to reopen is the school system....
  • Bob: Sounds like an online review is in order. Patients do look at those (and so do clinics)...
  • Brian Too: As a developer, I can give you my take. And software is my whole world, so... Such statements are typically meant to...
  • IANAL: Why isn’t this an EHR feature vs a separate company? In other words, what is the difference between this and your EHR ...

Sponsor Quick Links