University Case Study: Anthem's Cyber Security Breach Investigation

Verified

Added on 2020/05/01

AI Summary

This case study report analyzes the cyber security breach at Anthem Inc., a major health insurance company. The report details the incident, where the personal information of millions of customers was stolen. It identifies violations of international data security principles, the failure to plan for unexpected events, and insufficient prioritization of cyber security expenditures. The report emphasizes the importance of cryptography and preventive policies, such as data security accountability, network security plans, and quick responses to compromised situations. The study concludes with recommendations for organizations dealing with sensitive data to implement robust security measures, including cryptographic algorithms and regular server maintenance, to prevent similar breaches in the future.

Running head: ANTHEM’S CYBER SECURITY BREACH
Anthem’s Cyber security Breach
Name of the student:
Name of the University:
Author note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

2
ANTHEM’S CYBER SECURITY BREACH
Executive Summary
The purpose of this report is to do a detailed case study of the data security breach in Anthem
Inc. The report further describes every cyber security principle that was violated in the
process. Further, into the report, recommendations are suggested to prevent any such
occurrence in the future. It helps to conclude the importance of cryptography or other cyber
security measures in organizations that deal with bulk of private information.

3
ANTHEM’S CYBER SECURITY BREACH
Table of Contents
Introduction................................................................................................................................4
Case Background.......................................................................................................................4
Violation of cyber principles......................................................................................................5
International Data Security Principle.....................................................................................5
Plan for the Unexpected.........................................................................................................5
Prioritize Cyber Expenditure..................................................................................................6
Cryptography..............................................................................................................................6
Preventive Policies to enhance Cyber Security..........................................................................7
Conclusion..................................................................................................................................8

4
ANTHEM’S CYBER SECURITY BREACH
Introduction
Cyber security is defined as the body of processes, practices and technology that are
designed in order to protect computers, networks, data and programs from possible attacks.
Attacks may be in the form of damage caused to the system and data directories or may be
threats form of unauthorized access (Von Solms & Van Niekerk, 2013). This report aims at
studying one such case of cyber security breach in the Anthem Inc., a renowned health
insurance company. The case study further highlights the violation of cyber security
principles. The importance of file encryption in protecting the system and the servers from
being hacked has also been reported. Finally, mitigating recommendations are suggested.
Policies and network technologies are discussed that could have prevented the attacks.
Case Background
Two years back in the month of February, account information of nearly Eighty
million customers of one of the largest health insurance company, Anthem Inc. had been
stolen. Customers from at least 14 different states across the country were affected. The
hackers somehow managed to gain access to the company’s computer system and stole
personal information of customers. The information included names, birth dates, medical IDs,
physical and email addresses. Highly risked losses involved the theft of Social Security
Numbers and employment information of both present and former customers of the company.
However, as no medical information of clients was stolen in the breach, the rules from the
Health Insurance Portability and Accountability Act (HIPAA) could not be used in the
guidance process to overcome from the situation. The HIPAA governs the confidentiality of
health and medical information only (Ragan, 2017).

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

5
ANTHEM’S CYBER SECURITY BREACH
Violation of cyber principles
International Data Security Principle
Gross (2017), claims that the hackers involved in the security breach at the Anthems
may have ties to China. Investigations reveal that the evidence of the breach points towards
the Chinese government-sponsored hackers. Those familiar with the problem are analyzing
the breach as a threat to national security as the stolen data can be used for more than just
scam or spam purposes. This violates the international policies of cyber security.
International cybercrime challenges the effectiveness of both domestic and international law
enforcement. Having knowledge of the cybercrime laws and policies of various contries is
extremely important. Moreover, when there is a cross-border security threat in question, the
situation worsens. Do such cases not only violate international cyber security principles but
also pose a serious threat to the political scenario of the countries. International cybercrime is
considered as one of the most dangerous weapons of modern warfare.
Plan for the Unexpected
Secondly, the company seemed to have violated yet another crucial principle of cyber
security. Any organization that deals with data having stored in the cloud servers must always
be prepared to be hacked. Therefore, post-hack measures should be well pre-planned and
quickly executed. Regular scans should be conducted on the server to keep check for possible
security breaches that may have already been compromised. Nevertheless, Anthem is
repeatedly reported to have violated this principle. Their database had been hacked in
December 2014. It took them more than a month to realize that. It was already too late by
then.

6
ANTHEM’S CYBER SECURITY BREACH
Prioritize Cyber Expenditure
However, all sources who confirm the cyber attack on Anthem’s server states that
their cyber security measures were not up to the mark. This clearly depicts the company’s
intend to prioritize cyber expenditure and violates a crucial principle as the company has to
deal with millions of customers and their private information. Even though the Federals have
made it mandatory to encrypt sensitive data like health or financial data, HIPAA does not
take it seriously. Organizations under their regime, which do not care to use encryption, are
however not penalized. The bigger problem in this scenario is something else. Many of the
organization’s branches have not implemented data access security measures, where as it was
necessary to place safeguards in position. This would have at least prevented administrator
control from being compromised even if the hackers had bypassed the perimeter defenses
(Westin, 2017).
Cryptography
Cryptography involves the creation of codes that are generated in order to keep
information secret. Through this process, data is converted into certain formats, which I
unreadable to unauthorized users. This also allows transmitting data, which cannot be
decoded back to its readable form, if illegally accessed (Rabin, 2017). Cryptography provide
the following services to ensure security:
1. Confidentiality- Cryptography makes sure that only the authorized personnel can gain
access to data.
2. Integrity- Prohibiting data from being altered while in transition.
3. Authentication- The identity of the sender and receiver is preserved. This helps in
recognizing intermediate access to data transmission.

7
ANTHEM’S CYBER SECURITY BREACH
The process of cryptography includes encrypting the data into a cipher text using
certain algorithms. Then a key is introduced, which is known only to authorized data
handlers. The key is used to further decode and encode the cipher text, to reveal or conceal
the original data.
There are various types of cryptography algorithms. The number of keys that are
employed in an algorithm further with its application defines the category of algorithm used.
The three main categories are:
1. Secret Key Cryptography: This algorithm uses one key for both encryption and
decryption. This process is also known as symmetric encryption. This algorithm is
mainly used to promote confidentiality and data privacy.
2. Public Key Cryptography: This algorithm uses separate keys. One for encryption and
the other for decryption. This is also known as asymmetric encryption. This type of
algorithm is used for non-repudiation, key exchange and authentication (Salomaa,
2013).
3. Hash Functions: This technique uses mathematical functions in order to irreversibly
encrypt information. This provides a digital fingerprint. Hashing is primarily used to
maintain data integrity (Stallings & Tahiliani, 2014).
In this case, of the Anthem Inc. data security breach, proper measures to implement
cryptography in the system would have been greatly helpful. Since the company has multiple
outlets and offices spread all across USA, regular transmission of data is certain.
Furthermore, huge bulks of data and information is needed stored and accessed. Therefore,
customer data that was stored in the offsite servers should have been kept preserved with
cryptography.
Preventive Policies to enhance Cyber Security

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

8
ANTHEM’S CYBER SECURITY BREACH
The most recommended data security policies that would help Anthem Inc. prevent
such security breach further are:
 Ensuring data security accountability: The company must ensure that their
technical staff and management are well aware of their responsibilities.
 Policies to Govern Network Services: The company must have a well framed
network security plan. Experts in the field must be contacted to frame the necessary
policies. Guidelines must also be constituted to ensure that these policies are carried
out thoroughly throughout all branches of the organization.
 Managing Security Patches: Implementing programs and code to eliminate system
vulnerabilities shall protect servers against security threats. The details of such
implementations should be well documented in the data security policies. Properly
encrypted database, safe firewall and antivirus policies are also considered as
important aspects under this section (Hur, 2013).
 Quick response to compromised situations: The Anthems must also have proper
policies in place to tackle situations where the system or server has however been
compromised. This involves the evaluation and reporting of the issue and figuring out
solutions to prevent the same from happening again.
Conclusion
The above case study of the Anthem Inc.’s data security breach is an eye opener to all
other organizations around the world. It is also considered as one of the largest security
breaches around the globe. The hack compromised private information of millions of
customers. The hackers having focused on only private information saved some prestige for
the organization. However, if this would have been a health information piracy act, no shame
would be left for the company to tackle. It would then have been a massive blunder. In order

9
ANTHEM’S CYBER SECURITY BREACH
to prevent any such breaches in the future, companies that deal with private information of
the public must ensure the implementation of proper security policies. Accustoming to
cryptographic algorithms and regular maintenance of servers might help in preventing any
such occurrence in the future.


10
ANTHEM’S CYBER SECURITY BREACH
References
Gross, G. (2017). State-sponsored Chinese hackers suspected in Anthem
breach. Computerworld. Retrieved 16 November 2017, from
https://www.computerworld.com/article/2880541/state-sponsored-chinese-hackers-
suspected-in-anthem-breach.html
Hur, J. (2013). Improving security and efficiency in attribute-based data sharing. IEEE
transactions on knowledge and data engineering, 25(10), 2271-2282.
Rabin, T. (2017). TEDxHunterCCS - Tal Rabin - Cryptography in Our Lives. YouTube.
Retrieved 17 November 2017, from https://www.youtube.com/watch?
v=ugZ2sAge5WY
Ragan, S. (2017). Anthem: How does a breach like this happen?. CSO Online. Retrieved 17
November 2017, from https://www.csoonline.com/article/2881532/business-
continuity/anthem-how-does-a-breach-like-this-happen.html
Salomaa, A. (2013). Public-key cryptography. Springer Science & Business Media.
Stallings, W., & Tahiliani, M. P. (2014). Cryptography and network security: principles and
practice (Vol. 6). London: Pearson.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber
security. computers & security, 38, 97-102.
Westin, K. (2017). Why Encryption Wouldn’t Have Stopped Anthem from Spilling 80 Million
Social Security Numbers. MIT Technology Review. Retrieved 17 November 2017,
from https://www.technologyreview.com/s/535111/encryption-wouldnt-have-
stopped-anthems-data-breach/