Former Blue Cross CIO: How insurers can secure data

Investigators are still attempting to figure out how hackers acquired sensitive information from the servers of health insurer Anthem, the third-largest data breach in terms of compromised records (80 million) in history.

Joseph Smith, who retired from his post as CIO of Arkansas Blue Cross and Blue Shield last year, tells Insurance Networking News that while it’s possible a brute force attack could be the cause of the Anthem breach, most CIOs are aware that the most common vector of attack is poor data habits from associates within the company.

 “A company is constantly scanning for nefarious code,” Smith says, noting that Anthem discovered the breach on its own and then notified authorities, instead of learning of it from a third party. “But the easiest way to penetrate those thick walls is phishing kinds of things.”

Training employees to recognize nefarious intentions in an e-mail is a constant challenge for CIOs, as hackers become more sophisticated and associates enter and leave the company.

“It’s always unintentional or innocent, but your biggest risk is your own employees,” he says. “With Target, the hacker posed as a vendor, someone was duped innocently, and there you go.”

Smith says insurers and other organizations should work together to share the latest information on hacking attempts so industry at large can benefit from the experiences of their peers.

Also see: Data security processes essential for wellness program PHI

“You could establish some kind of clearing house, when people have events like what’s happened in Anthem and elsewhere, and expose how this was done as much as you can without jeopardizing internal security,” he explains.

And it’s better for companies to do that on their own before regulators get involved, he warns. The National Association of Insurance Commissioners recently established a cybersecurity task force for the insurance industry, and it’s possible that task force will look closely at this event and make recommendations. (A request for comment from the NAIC was not returned in time for publication.)

What Smith fears is that CIOs will move away from best practices around keeping data safe that almost always are better served working with employees to teach them to protect their sensitive company information.

“You can require huge amounts of money to be spent for [software] and the incremental protection might not be that much more,” Smith says. “Clearly the best defense is a good offense in this case.”

More encryption isn’t the answer either, he says. IT departments have best practices for maintaining the password system, and reacting by introducing second factors or biometrics into taxed organizations could be more trouble than it’s worth. Instead, insurers who effectively educate employees on data security, and scan systems for nefarious code often, should be winners.

“That doesn’t mean just one or two times a year,” he warns. “No organization is immune to this kind of attack -- I think by now people have gotten the general understanding that’s true, when you see how many people have been affected.”

Also see: No broker information breached in Anthem cyber attack

Now, for Anthem and after any company is impacted by a data breach, the important part is how they communicate what’s happened to the exposed customers and how they will work to protect them and make them whole, Smith says.

“You’ve seen the different reactions from some of the companies who have been breached. Some of them have been less than fantastic with it. Others have been very good about communicating,” he says.

Anthem will probably offer some sort of fraud protection to customers, but Smith notes that many of them may already have been involved in one of the other high-profile data breaches and be covered by that already – another case for companies to communicate with each other in the aftermath of leaks.

For reprint and licensing requests for this article, click here.
Benefit management
MORE FROM EMPLOYEE BENEFIT NEWS