2 ANTHEM’S CYBER SECURITY BREACH Executive Summary The purpose of this report is to do a detailed case study of the data security breach in Anthem Inc. The report further describes every cyber security principle that was violated in the process. Further, into the report, recommendations are suggested to prevent any such occurrence in the future. It helps to conclude the importance of cryptography or other cyber security measures in organizations that deal with bulk of private information.
3 ANTHEM’S CYBER SECURITY BREACH Table of Contents Introduction................................................................................................................................4 Case Background.......................................................................................................................4 Violation of cyber principles......................................................................................................5 International Data Security Principle.....................................................................................5 Plan for the Unexpected.........................................................................................................5 Prioritize Cyber Expenditure..................................................................................................6 Cryptography..............................................................................................................................6 Preventive Policies to enhance Cyber Security..........................................................................7 Conclusion..................................................................................................................................8
4 ANTHEM’S CYBER SECURITY BREACH Introduction Cyber security is defined as the body of processes, practices and technology that are designed in order to protect computers, networks, data and programs from possible attacks. Attacks may be in the form of damage caused to the system and data directories or may be threats form of unauthorized access (Von Solms & Van Niekerk, 2013). This report aims at studying one such case of cyber security breach in the Anthem Inc., a renowned health insurancecompany.Thecasestudyfurtherhighlightstheviolationofcybersecurity principles. The importance of file encryption in protecting the system and the servers from being hacked has also been reported. Finally, mitigating recommendations are suggested. Policies and network technologies are discussed that could have prevented the attacks. Case Background Two years back in the month of February, account information of nearly Eighty million customers of one of the largest health insurance company, Anthem Inc. had been stolen. Customers from at least 14 different states across the country were affected. The hackers somehow managed to gain access to the company’s computer system and stole personal information of customers. The information included names, birth dates, medical IDs, physical and email addresses. Highly risked losses involved the theft of Social Security Numbers and employment information of both present and former customers of the company. However, as no medical information of clients was stolen in the breach, the rules from the Health Insurance Portability and Accountability Act (HIPAA) could not be used in the guidance process to overcome from the situation. The HIPAA governs the confidentiality of health and medical information only (Ragan, 2017).
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
5 ANTHEM’S CYBER SECURITY BREACH Violation of cyber principles International Data Security Principle Gross (2017), claims that the hackers involved in the security breach at the Anthems may have ties to China. Investigations reveal that the evidence of the breach points towards the Chinese government-sponsored hackers. Those familiar with the problem are analyzing the breach as a threat to national security as the stolen data can be used for more than just scamorspampurposes.Thisviolatestheinternationalpoliciesofcybersecurity. International cybercrime challenges the effectiveness of both domestic and international law enforcement. Having knowledge of the cybercrime laws and policies of various contries is extremely important. Moreover, when there is a cross-border security threat in question, the situation worsens. Do such cases not only violate international cyber security principles but also pose a serious threat to the political scenario of the countries. International cybercrime is considered as one of the most dangerous weapons of modern warfare. Plan for the Unexpected Secondly, the company seemed to have violated yet another crucial principle of cyber security. Any organization that deals with data having stored in the cloud servers must always be prepared to be hacked. Therefore, post-hack measures should be well pre-planned and quickly executed. Regular scans should be conducted on the server to keep check for possible security breaches that may have already been compromised. Nevertheless, Anthem is repeatedly reported to have violated this principle. Their database had been hacked in December 2014. It took them more than a month to realize that. It was already too late by then.
6 ANTHEM’S CYBER SECURITY BREACH Prioritize Cyber Expenditure However, all sources who confirm the cyber attack on Anthem’s server states that their cyber security measures were not up to the mark. This clearly depicts the company’s intend to prioritize cyber expenditure and violates a crucial principle as the company has to deal with millions of customers and their private information. Even though the Federals have made it mandatory to encrypt sensitive data like health or financial data, HIPAA does not take it seriously. Organizations under their regime, which do not care to use encryption, are however not penalized. The bigger problem in this scenario is something else. Many of the organization’s branches have not implemented data access security measures, where as it was necessary to place safeguards in position. This would have at least prevented administrator control from being compromised even if the hackers had bypassed the perimeter defenses (Westin, 2017). Cryptography Cryptography involves the creation of codes that are generated in order to keep information secret. Through this process, data is converted into certain formats, which I unreadable to unauthorized users. This also allows transmitting data, which cannot be decoded back to its readable form, if illegally accessed (Rabin, 2017). Cryptography provide the following services to ensure security: 1.Confidentiality- Cryptography makes sure that only the authorized personnel can gain access to data. 2.Integrity- Prohibiting data from being altered while in transition. 3.Authentication- The identity of the sender and receiver is preserved. This helps in recognizing intermediate access to data transmission.
7 ANTHEM’S CYBER SECURITY BREACH The process of cryptography includes encrypting the data into a cipher text using certain algorithms. Then a key is introduced, which is known only to authorized data handlers. The key is used to further decode and encode the cipher text, to reveal or conceal the original data. There are various types of cryptography algorithms. The number of keys that are employed in an algorithm further with its application defines the category of algorithm used. The three main categories are: 1.Secret Key Cryptography: This algorithm uses one key for both encryption and decryption. This process is also known as symmetric encryption. This algorithm is mainly used to promote confidentiality and data privacy. 2.Public Key Cryptography: This algorithm uses separate keys. One for encryption and the other for decryption. This is also known as asymmetric encryption. This type of algorithm is used for non-repudiation, key exchange and authentication (Salomaa, 2013). 3.Hash Functions: This technique uses mathematical functions in order to irreversibly encrypt information. This provides a digital fingerprint. Hashing is primarily used to maintain data integrity (Stallings & Tahiliani, 2014). In this case, of the Anthem Inc. data security breach, proper measures to implement cryptography in the system would have been greatly helpful. Since the company has multiple outletsandofficesspreadallacrossUSA,regulartransmissionofdataiscertain. Furthermore, huge bulks of data and information is needed stored and accessed. Therefore, customer data that was stored in the offsite servers should have been kept preserved with cryptography. Preventive Policies to enhance Cyber Security
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
8 ANTHEM’S CYBER SECURITY BREACH The most recommended data security policies that would help Anthem Inc. prevent such security breach further are: Ensuringdatasecurityaccountability:Thecompanymustensurethattheir technical staff and management are well aware of their responsibilities. Policies to Govern Network Services:The company must have a well framed network security plan. Experts in the field must be contacted to frame the necessary policies. Guidelines must also be constituted to ensure that these policies are carried out thoroughly throughout all branches of the organization. Managing Security Patches:Implementing programs and code to eliminate system vulnerabilities shall protect servers against security threats. The details of such implementations should be well documented in the data security policies. Properly encrypteddatabase,safefirewallandantiviruspoliciesarealsoconsideredas important aspects under this section (Hur, 2013). Quick response to compromised situations:The Anthems must also have proper policies in place to tackle situations where the system or server has however been compromised. This involves the evaluation and reporting of the issue and figuring out solutions to prevent the same from happening again. Conclusion The above case study of the Anthem Inc.’s data security breach is an eye opener to all other organizations around the world. It is also considered as one of the largest security breaches around the globe. The hack compromised private information of millions of customers. The hackers having focused on only private information saved some prestige for the organization. However, if this would have been a health information piracy act, no shame would be left for the company to tackle. It would then have been a massive blunder. In order
9 ANTHEM’S CYBER SECURITY BREACH to prevent any such breaches in the future, companies that deal with private information of the public must ensure the implementation of proper security policies. Accustoming to cryptographic algorithms and regular maintenance of servers might help in preventing any such occurrence in the future.
10 ANTHEM’S CYBER SECURITY BREACH References Gross,G.(2017).State-sponsoredChinesehackerssuspectedinAnthem breach.Computerworld.Retrieved16November2017,from https://www.computerworld.com/article/2880541/state-sponsored-chinese-hackers- suspected-in-anthem-breach.html Hur, J. (2013). Improving security and efficiency in attribute-based data sharing.IEEE transactions on knowledge and data engineering,25(10), 2271-2282. Rabin, T. (2017).TEDxHunterCCS - Tal Rabin - Cryptography in Our Lives.YouTube. Retrieved17November2017,fromhttps://www.youtube.com/watch? v=ugZ2sAge5WY Ragan, S. (2017).Anthem: How does a breach like this happen?.CSO Online. Retrieved 17 November2017,fromhttps://www.csoonline.com/article/2881532/business- continuity/anthem-how-does-a-breach-like-this-happen.html Salomaa, A. (2013).Public-key cryptography. Springer Science & Business Media. Stallings, W., & Tahiliani, M. P. (2014).Cryptography and network security: principles and practice(Vol. 6). London: Pearson. VonSolms,R.,&VanNiekerk,J.(2013).Frominformationsecuritytocyber security.computers & security,38, 97-102. Westin, K. (2017).Why Encryption Wouldn’t Have Stopped Anthem from Spilling 80 Million Social Security Numbers.MIT Technology Review. Retrieved 17 November 2017, fromhttps://www.technologyreview.com/s/535111/encryption-wouldnt-have- stopped-anthems-data-breach/