Insurance giant Anthem, Inc. had the data - 80 million healthcare records that included Social Security number, birthdays, addressess, email and employment and income information.
So, the hackers came and availed themselves to this data that is worth millions of dollars and probably will cost Anthem millions in fines, lawsuits and clean-up, not to mention an untold amount in reputation rehabilitation.
Experts said the information was vulnerable because Anthem did not take simple steps - like protecting its internal data through encryption - in the same way it protected medical information that was sent or shared outside the database.Security experts
agree that companies with tunnel vision related to compliance often focus more on implementing controls to check a box rather than deal with real-world security issues.
"Being compliant can give a false sense of security," said Sword & Shield President and CEO John McNeely. "Compliance standards are typically written to some baseline security measures and should be viewed as a starting point. Companies that just focus on compliance can find themselves still exposed to threats. Compliance standards may give some prescriptive direction, but most are ambiguous on key security controls and leave many implementation details up to the organization.
"Businesses that don't take the time to develop sound security strategies that address the uniqueness of their organization and specifics of how to implement security effectively will, most likely, find themselves dealing with a security incident even though they are 'compliant'," he said.
Little has been done to address whether Anthem was HIPAA compliant, but there's more to IT security than paint-by-the-numbers compliance guidelines. The key thing about IT security is that you can never totally eliminate the risk, you can only mitigate it.
Sword & Shield works to be a long-term partner. We don't do drive-by compliance assessments and work with your company to provide continuous monitoring, rapid response and a roadmap to a secure and compliant future.
Unpatched Adobe Flash Player Vulnerability Allows Hackers to Take Control of System
Adobe Systems warned users that hackers are exploiting another unpatched vulnerability in Flash Player, which is the third vulnerability in the past month.
There are reports that the vulnerability is being actively exploited in drive-by-download attacks that target systems running Flash Player under Internet Explorer or Mozilla Firefox on Windows 8.1 and earlier.
Adobe said in a security advisory published Monday, "A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 18.104.22.1686 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system."
Sword & Shield's Asset Discovery and Vulnerability Assessment - a component of our Managed Security Services - delivers an inventory of critical assets along with a vulnerability mapping to help reduce the exposure to attack. See More
Sword & Shield Director of Computer Forensics and Security Assessments Bill Dean will speak about threat intelligence at the InfoSec World Conference and Expo on Monday, March 23 from 3:15 to 4:15 p.m.
Dean's topic will include:
- Concerns about trust and disclosing too much privacy
- Understanding the value of threat intelligence
- Learning the rich sources to build your own program
- How to safely share threat intelligence with others
InfoSec World runs March 23-25 at Disney's Contemporary Resort in Orlando.Click here
for more information and to register.