As initially reported by Bank Info Security editor, Marianne McGee, Anthem, one of the world’s largest health insurers, recently suffered the largest-ever HIPAA fine at $16 million due to a 2015 data breach which affected nearly 79 million customers.
“The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” says OCR Director Roger Severino.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information. We know that large healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Identity and Access Management
According to Gartner, Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM is particularly important in the increasingly complex and heterogeneous technology environments of companies operating multiple clouds and cloud accounts. The discipline includes the organizational policies for managing digital identity as well as the technologies needed to support identity management.
IAM is an area where many developers and engineers lack expertise and as a result, many are extremely hesitant about making configuration choices and often can inadvertently make poor choices. There is an enormous risk for an organization when IAM is handled incorrectly as seen with Anthem.
Anthem’s IAM policies didn’t meet industry or regulatory standards and this was evident by their lack of adequate minimum access controls. Further illustrated by their lack of an enterprise-wide security risk assessment, their insufficient procedures to regularly review information system activity, and failure to identify and respond to suspected or known security incidents. These critical areas of security weakness led to a massive data breach of customer data, a $16 million HIPAA settlement, and several other legal actions and investigations that concluded with a record $115 million consolidated settlement.
That’s a lot of trouble DivvyCloud could have helped Anthem avoid. DivvyCloud helps customers adhere to industry and regulatory standards including in areas like IAM. For example, ensuring robust password policies including multi-factor authentication. Our out-of-the-box HIPAA compliance pack has mapped the entire framework to the major cloud service providers to keep your cloud infrastructure in compliance.
The Golden Rule
Going back to how it is easy for people to make poor choices, this often occurs by over granting privileges to cloud resources. For good security, the golden rule is that when you create IAM policies you should only grant the least privilege—that is, grant only the permissions required to perform a task.
Of course, to do this, you need to first determine what users need to do and then craft policies for them that let the users perform only those tasks. Another approach is to start with a minimum set of permissions and grant additional permissions as necessary. This sounds great, but in practice, this is actually hard to do and time-consuming.
What actually happens is that a developer will start with permissions that are too lenient. Sometimes this is due to a lack of understanding or sometimes they intend this to be temporary but then get distracted and forget to later return and tighten the permissions. In either case, they might write a policy that looks like this:
While this policy may certainly solve any access issues a user or application may be facing, they expose the account to an extraordinary amount of unnecessary risk. Additionally, policies like this are difficult to find and remove later, quickly becoming lost in the console among hundreds of other policies, nested in tabs that may never be visited again.
This is an example of why DivvyCloud has a big IAM focus. DivvyCloud’s real-time alerting enables customers to open a ticket using their ticketing system (Jira, ServiceNow, PagerDuty, etc.) based on any problems inside of the platform. Tickets are automatically created when problems are identified by Bots. This sends the issue directly to your IT team’s ticketing queue for remediation. Anthem would have benefited from our automated reporting and remediation tools by being ensured they had minimum access controls, automated enterprise-wide security risk assessments, regular reports of information system activity, and the ability to continuously identify and remediate suspected or known security incidents.
DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.