Anthem Breach Prompts New York to Conduct Cybersecurity Reviews of All Insurers
It would be interesting to see what Anthem has documented & implemented as it’s “alternative measure” to encryption…. Many companies don’t want to pay for the hardware overhead needed to have speedy but encrypted information, this is a position that’s become less firm than Jello in an age of increasing breaches and decreasing hardware costs.
In response to the data breach at healthcare insurance provider Anthem last week, New York’s Department of Financial Services (DFS) announced today that it will “integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the department’s examination process.” The Department also plans to issue “enhanced regulations” to insurance companies based in New York, but has not yet solidified what those enhancements will be.
Encryption and multi-factor authentication may be on that list. Healthcare insurers are already subject to the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), each of which have requirements about privacy and security, but neither of which explicitly require encryption of all personally identifiable information. HIPAA’s focus is on medical data, not identity and employment data like that stolen from Anthem.
An Anthem executive confessed to the New York Times Thursday that Anthem had not encrypted the database containing non-medical data, and that it was not required by HIPAA to do so.
More: Anthem Breach Prompts New York to Conduct Cybersecurity Reviews of All Insurers