Reports on last week’s breach of Anthem Inc. claim the attack could have been much worse, as the health insurer was storing PII (Personally Identifiable Information) and PHI (Personal Health Information) in the same database. Hackers could have taken PHI but chose not to. And none of this data was encrypted.
(Note: David Kleidermacher is the new Chief Security Officer for BlackBerry. Learn more about him here.)
Anthem operates Blue Cross and Blue Shield health plans in 14 states; it held the records of 80 million past and current members and employees. Anthem will be bludgeoned by the press for a while and eventually state it has addressed its problems. After hackers exposed the account information of 77 million members of Sony’s PlayStation network in 2011, Sony said the same thing. Late last year, hackers took Sony down again.
Some will say better regulation is needed. In the U.S., the Sarbanes-Oxley Act and HIPAA are but two of many government attempts to enhance privacy protection and raise the cybersecurity bar. Anthem is merely the latest event to expose the insufficiency of these standards. For those who may not have read the Federal Trade Commission’s brand new guidance on cybersecurity for Internet of Things (IoT), here are a few of the ‘groundbreaking’ statements:
- “companies developing IoT products should implement reasonable security”
- “companies should test their security measures before launching their products”
- “Congress should enact general data security legislation”
Does anyone believe government guidance is going to end our assurance crisis? Anthem is part of the larger healthcare challenge where insurers, caregivers, and patients are embracing an increasing range of access methods – from mobile devices and connected medical equipment to the wearables and sensors of IoT. Connection sprawl is exacerbating the problem.
We need robust end-to-end security solutions that enable enterprises to manage and protect all endpoints and the information that flows and resides across them and the cloud. At BlackBerry, our reputation for end-to-end security excellence is the result of a corporate-wide high assurance security culture (why I joined the company!) built over years and applied consistently to devices, the BlackBerry cloud infrastructure, and our applications and services.
But society should not trust the word of enterprises claiming great security. Let this be a call to arms, an international anthem if you will, for industry, academia, and governments to join together with BlackBerry to foster cybersecurity standards that deliver meaningful assurance. We desperately need it. The general population lacks confidence in the ability of enterprises to protect critical data and functions because no effective international standard for ensuring confidence in this protection exists. Raising assurance is the only way to get ahead of attackers instead of always remaining behind them, to prevent breaches instead of picking up the pieces after them.
If your organization wants to join BlackBerry in this initiative, drop us a note at firstname.lastname@example.org. And until this becomes reality, enterprises evaluating IT solutions must not blindly accept vendor security claims, no matter how well established that vendor’s brand (remember when RSA spilled SecurID tokens). Dive deep into the vendor’s assurance evidence and demand proof from independent experts.