Anthem Breach Lesson: Why Granular Access Control MattersFormer Federal Prosecutor Bill Fox Analyzes Anthem Settlement
Healthcare organizations can learn important lessons from the proposed $115 million settlement in the breach lawsuit against health insurer Anthem, says Bill Fox, a former federal prosecutor.
One of the key lessons emerging from the Anthem breach case, which impacted nearly 79 million individuals, is the need for more granular control of access to sensitive data, says Fox, who's global chief technology officer of healthcare and life sciences at MarkLogic, a database software vendor.
The breach shows the importance of access control because it stemmed from a phishing attack that exposed credentials, paving the way to access sensitive data on millions of individuals.
"It seems as though [Anthem] did not have sufficient granularity in terms of internal access," he notes in an interview with Information Security Media Group. "You constantly have to think in terms that there is no way to absolutely prevent a breach in any sort of operational business because you have to be sharing data - and people have to be working with that data and filling the functions of the business. But what many organizations - not just those in healthcare, but in other industries - lack is very, very granular access control."
That includes controlling what users, such as doctors or billing clerks, can view, based on their roles, as well as how long they have permission to access that data and what they are permitted to do with it, he says.
Another lesson from the costly breach settlement, Fox says, is the need to educate "rank and file members of the organization to recognize things like phishing attacks and being very careful about opening attachments from unknown emails - though [attackers are] getting more sophisticated in making it look like a known email [sender]."
Also, organizations need to ensure they're using best-in-class security "and taking security from the level of the application program interface and down to the level of the database," he says.
In the interview (see audio link below photo), Fox also discusses:
- The most significant "teachable moments" contained in the terms of the proposed Anthem lawsuit settlement;
- Why there's strong potential for class action litigation to be filed in the aftermath of ransomware related attacks;
- Top mistakes that healthcare entities make in their information security governance, and how to correct the missteps.
Fox is global CTO of healthcare and life sciences at enterprise database software vendor MarkLogic. He also serves on the board of directors of the Medical Identity Fraud Alliance. Previously, Fox was a cybersecurity consultant at Booz Allen Hamilton, and he also held healthcare leadership positions at Emdeon and LexisNexis. He also was the deputy chief of economic and cyber crime at the Philadelphia District Attorney's Office, special assistant U.S. attorney for the Eastern District of Pennsylvania and a law firm partner.