Responding to the Anthem Data Breach

You have no doubt seen news reports about the data breach suffered by health insurer Anthem. In this massive security breach, hackers were able to steal employee passwords and use them to access an Anthem database containing personal information about former and current customers as well as employees. Anthem has stated that data stolen includes names, dates of birth, addresses, email addresses, health insurance IDs, and Social Security numbers but no financial or medical data.

Anthem has been collaborating with the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) to share information about the attack. As a member of the HITRUST Cyber Threat XChange (CTX), PDHI has received details of the indicators of compromise (IOCs), which consist of IP addresses, filenames and associated MD5 hashes, and threat actor email addresses. We have conducted a review of our systems internally and with our hosting and security service vendors to verify that we have not been targeted by this threat.

Internal Security Controls

PDHI takes a number of steps to protect passwords on all systems by using password policies that require strong passwords that must be changed every 90 days and brute force lockout to block attack from automated password guessing systems.

Sensitive systems that store and process personal health information on behalf of our clients or provide security services are further protected by two-factor authentication. Two-factor authentication uses something you know (a password) and something you have (a security token) to validate identity and permit access. Thus a compromised password does not allow a hacker to gain access. PDHI also uses an intrusion detection system (IDS) to monitor network activity for suspicious traffic.

Security Controls for Clients

PDHI’s ConXus Platform offers similar security tools for clients, supporting configurable password policies and brute-force lockout capability, as well as the option for federated logon for clients wishing to use two-factor authentication for access by health coaches, screeners, and program administrators.

Comments are closed.