Anthem Breach: Impacts on Indian ITeS Sector
There are those organisations that get hacked and know it and those that are breached but are clueless. Luckily, Anthem, a leading health insurance provider, falls in the first category and knows how deeply it has been hit.
Anthem serves nearly 69 million people in the U.S. Though Anthem has not specified the numbers of affected consumers or compromised records, the actual facts from Anthem’s site depict a sneak peek on how huge this breach is.
Anthem’s CEO said, With FBI investigating the case, a remote possibility of involvement of funding by U.S.’ “cyber adversaries” cannot be shrugged off completely. Interestingly, this breach has surfaced within a period of 3 months, of Sony Picture Entertainment being hacked. President Obama has warned the alleged perpetrators with a strong statement against such destructive and destabilizing conduct.
Such incidents provide an opportunity to conduct due diligence and take control of your security measures. If adequate measures are not taken, I see a potentially huge economic impact on healthcare outsourcing industry taking shape.
Health care insurance industry is highly developed in countries like U.S., UK and Australia. A high number of the U.S. healthcare providers outsource their computerized physician order entry (CPOE), electronic medical records (EMR’s), inbound voice response systems (IVR’s), and data management to India. In the BPO segment, common activities include insurance claims processing, adjudication, receivables management, billing and coding and transcription services.
Often, the outsourcing partners are big players like Accenture, TCS, Infosys and many more. Many of these organisations operate on the applications and systems (configured to the healthcare company’s requirement). Many such installed applications are browser based (highly susceptible to browser based attacks) or require virtualized storage environments, which if lost are likely to be lost forever. Hosting environments of these applications are mutually decided by the healthcare providers in the U.S. and the outsourcing vendors.
Once the BPOs and KPOs initiate sign off and begin processing, the configuration or hardening requirements on these systems are maintained constant to the agreed requirements, mostly to avoid any errors or malfunctions, being caused due to reverse compatibility issues or run time errors.
Since the reason of the Anthem breach is unknown, such stagnant and ill configured systems may as well be connected to a BPO’s internal network with all the applications running. This could make them susceptible to typical vulnerabilities associated with it. Least I forget the OS level vulnerabilities as well, to bring the entire organisation on the brim of being an interface to a global breach.
What makes me more concerned is the lack of credible information on any perpetration methods and whether the attack was caused by a deliberately injected malware, zero day vulnerability or a dedicated cyber warfare initiative.
Many such BPO processes face several denial of service instances due to downtime issues or have some application level glitches. It is often not known clearly whether, the downtime was a legitimate one.
Many BPOs and KPOs are not completely aware of similar scenarios, what such applications can perform in the background on their networks and systems, while they have full time agents working 24*7, who update medical claim forms or perform data entry jobs.
Currently, underlying risk is due to lack of complete understanding of applications and credibility of the robustness (of the applications). This is a major concern that Indian ITeS industry need to address.
Listed below are the global giants in healthcare BPO domain:-
India spends a tiny 4 percent of its GDP on healthcare, while the U.S. sheds a mammoth 17 percent every year. A recent study by Deal Analysis provides a North American perspective on the insurance BPO sector.
The above diagram clearly indicates the insurance BPO market will grow considerably in the coming years and India stands to gain most from this.
Keeping in mind the Anthem breach, critical security measures will be initiated by the U.S. healthcare providers and this will impact the costs of agreements. Perhaps, in the coming years, it may even require some amendments in the current agreements quite extensively. I would not be surprised to see a concept of “joint security responsibility agreements” apart from the business agreements taking place in near future. While India stands at a critical zenith of responsibility to be a service industry leader globally, it might now have to focus a lot in terms of delivery of the ‘information security assurance’ to its existing and potential customers. Hopefully, this should be calling for more information security jobs.
Walk the Talk
It is a moment for Indian IT and services industries trying to stop, think and respond in a systematic approach of identifying its current business risk areas, ensuring relevant management, technical controls and maintaining periodic upgradation of the same. Adhering to international standards of Enterprise Risk Assessments such as ISO 31000 shall certainly help many organisations even outside the ITeS industry to have a dedicated information security management system of which information security would be a fruitful outcome.
I have always insisted on inculcating information security as a habit. It is a habit that needs to be developed. You need not be a nerd with a plethora of knowledge about gadgets and jargons, but having a conscious attitude when it comes to cyber security will help. It is time that we make it a habit to question the information security practices that promise us information security!
1. American Healthcare Outsourcing: Sun Knowledge (pdf )
2. Indian IT/ITeS Industry-Evolving Business Models for Sustained Growth:- Confederation of Indian Industry (pdf)
About the Author
Abhishek Y. Joshi is an Information Security evangelist with wide experience in ITGC, IS Audits and Risk Management. He has worked on multiple projects in ITes and BFSI industry sectors across India and Australia. Abhishek holds a Graduate Degree in Information Technology from Federation University, Australia.