Healthcare’s New “Anthem” is Encryption, But Not Everyone Sings From the Same Hymnal
This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.
What if the data of 80 million Anthem subscribers were encrypted at rest? And access required two-factor authentication? Would the security breach still have occurred? These lines in the new cyber-security “anthem” are being sung with gusto by those following the bouncing cursor of a breach that may be larger than all healthcare security breaches of the last ten years combined. The questions need to be asked but, like many other things in information security, the answers are not always obvious, though sometimes they do follow simple basic information management common sense.
True, investigating a breach, especially one of this size, attracts attention that makes the Super Bowl and Academy Awards look like Saturday morning cartoons. The analysis is always retrospective, Monday-morning quarterbacking, and it’s hard not to come up with some weakness that if addressed, maybe, possibly, perhaps could have prevented the breach. Here most commentators, especially those in the mainstream press, have focused on data encryption at rest as the panacea that would have preserved the sensitive information of the millions of Anthem subscribers. Encrypted cloud storage is part of the answer, but not the whole answer because attackers who can circumvent authentication protocols can get around encryption (and, as Edward Snowden stated, encryption often comes with back doors).
One reason why encryption alone isn’t a complete defense against a data security breach is that, as Professor Steven M. Bellovin of Columbia University wrote in an Ars Technica article:
In a case like the Anthem breach, the really sensitive databases are always in use. This means that they’re effectively decrypted: the database management systems (DBMS) are operating on cleartext, which means that the decryption key is present in RAM somewhere. It may be in the OS, it may be in the DBMS, or it may even be in the application itself (though that’s less likely if a large relational database is in use, which it probably is). (Emphasis added.)
This means that someone with access to a computer can access the database decryption key, or potentially even unencrypted database contents, from the RAM, or ‘working memory,’ of the computer. As a result, the robustness of the database encryption scheme becomes nearly irrelevant and would likely not have posed a substantial barrier to someone with the know-how to circumvent authentication protocols in the first place.
So, the first question that must be asked is how robust were the authentication protocols at Anthem? A combination of strong, perhaps multifactor authentication protocols and database management systems controls, plus encryption at rest could have reduced the chances of a successful breach. It’s important, from a liability perspective, to note that neither HIPAA compliance nor other federal information security requirements require perfection. These regulations are not rules of strict liability. The metric is “reasonable steps,” though, of course, that is often in the eyes of the beholder with the benefit of hindsight.
And there are “reasonable steps” that can be taken to deter all but the most sophisticated hackers. One may be to store sensitive information with a cloud hosting provider who encrypts at rest and requires multifactor authentication. However, many healthcare plans and providers are skeptical due, among other things, to a perceived loss of control over the data in the healthcare cloud and, thereby, the ability to oversee data security. This is one reason, as Professor Bellovin notes, that it is appropriate for cloud hosting services to use robust database encryption, as you no longer control authentication protocols to your computer systems because “you don’t control the machine room and you don’t control the hypervisor (a program that allows multiple operating systems to share a single system or hardware processor).” On the other hand, cloud hosting provider systems administrators are often more experienced at securing their systems than most healthcare plan and provider IT personnel or, when they are large enough to have them, information security departments (HIPAA compliant hosting requires the appointment of Security Officers, but they often are not sufficiently experienced to harden the OS and DMBS, let alone encrypt at rest).
The New York Times reported on February 6, 2015 that healthcare information is increasingly at risk of a data security breach because medical records, with their rich set of personal identifiers including Social Security Numbers and medical record numbers that can be used to obtain pharmaceuticals and even medical care for undocumented aliens, are of greater value on the black market that credit card numbers alone, as those accounts can be cancelled. The Times also noted that “health organizations are likely to be vulnerable targets because they are slower to adopt measures like keeping personal information in separate databases that can be closed off in the event of an attack” (subscription required).
As the attackers get more and more brazen and sophisticated, especially in light of the recent series of successful attacks, healthcare organizations will look for means to better secure information, and those means will comprise more than just encryption. They will include hardened authentication and DMBS protocols as well and, if the organization cannot manage these controls themselves, hosting of data in a healthcare cloud with reputable managed cloud hosting providers.
By Kenneth N Rashbaum Esq. and Liberty McAteer, Esqs.