What Anthem did or did not encrypt has been a topic of conversation ever since news of its massive breach of customers’ personal information broke last week. It appears that, in compliance with the Health Insurance Portability and Accountability Act (HIPAA), which doesn’t explicitly require encryption of customer data, Anthem did not encrypt the breached data, and a company spokeswoman has said that even if it had, that wouldn’t have protected the data because the hacker had admin-level access, according to a piece in The Huffington Post.
Michael McQuinn, co-founder and CTO of Criterion Advisory, points out in a piece on DataInformed that the fact is, “there will always be something:”
“Even if Anthem had encrypted its databases on disk, the backups could have been stored unencrypted. It’s also possible that an update to a data transformation process for a big data initiative neglected to anonymize social security numbers. It even could have been as simple as a developer’s laptop containing sample data being stolen.”
For the last few years, it’s been easy to find pro-encryption arguments, some of which get downright self-righteous when yet another well-publicized breach occurs. The debates in favor of and against encryption, in general, most often rely on balancing improved data security versus ease of use and access for the business. But the arguments against the idea that “encrypted” data is impenetrable data are growing. While this eSecurityPlanet piece on the Anthem breach puts forth a couple of suggestions on making encryption work for all parties by using “searchable encryption” tools or data masking, the fact of the matter is, as Protiviti Managing Director Jim DeLoach told me today, “every business has already got someone inside the system, and cyber criminals play for keeps.”
Ulf Mattsson, CTO at Protegrity, told me in an email that while “If published reports are accurate and Anthem did not encrypt or otherwise protect their customers’ data while stored in their internal systems, then their level of security was not appropriate for the potential risks of attack,” again, encryption is neither a black and white issue nor a magic pill.
“To hear some experts and even people ‘familiar with the matter’ tell it,” Mattsson said, “businesses like Anthem only have two choices when it comes to protecting their most sensitive customer and employee data. On one hand, they can encrypt all of their data. That certainly provides a high level of security, but it has the potential to block or slow down the business processes required to serve customers effectively. On the other hand, they can leave the data unencrypted in their databases, protected only by passwords, firewalls and intrusion detection software. This perimeter-based approach allows the data to flow freely through all required business processes, but it provides little defense against unauthorized users who are able to impersonate insiders with proper access credentials – as the constant drumbeat of data breach news demonstrates.
“To encrypt or not encrypt is a false choice. The ‘security vs. usability’ argument doesn’t hold water when one considers that many of the world’s largest retailers, financial institutions, government agencies and yes, even health insurance companies, use other methods like tokenization combined with strong security policy management to successfully protect their most sensitive data against unauthorized use and meet all security compliance requirements, all without sacrificing the usability of the data.”
Working backward from events like the Anthem breach will be one of the most powerful tools that organizations can use to prevent their names from becoming part of the next big breach headline. As Mattsson put it, “While it’s hard to find a silver lining in the theft of more than 80 million pieces of personally identifiable information, Anthem detecting the breach itself before medical or financial records were accessed could be considered a benefit. But the real benefit is the attention this incident has put on the issue of data security.”
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+