Anthem’s blank space – diminishing returns on cyber attacks

I remember when I first read about Chef Thomas Keller’s attentiveness to the law of diminishing returns. The idea is simple, with each bite, you get a little less enjoyment out of whatever it is you are eating. Some of Keller’s most famous dishes are only one or two bites. Leave ’em wanting more, he says. Well, as it turns out, the same is true for hacking.

The more it happens, the less we care.

In 2014 nearly everyone was hacked. Home Depot was hack. Target was hacked. Sony…well you know about Sony.

surprise

Celebrities are also a popular target. Jennifer Lawrence smartly said anyone who sought out photos of her was effectively abetting the hackers. By the time Taylor Swift was hacked in early 2015, the general reaction was…well…rather ho-hum.

News broke this week about the attack on insurance giant Anthem. It could be misconstrued as flippant, or know-it-all’y, but I think my reaction could best be summed up thusly:

bored

It’s not that I don’t care, or that I’m not sympathetic – I do and I am. I’m just not surprised. So much of healthcare data secured by obscurity — think: fake rock hide-a-key. And, inside any give healthcare organization, hundreds if not thousands of people have access to datastores. Sure, there’s some notional security and there are, sometimes, audit trails. But it may simply be unrealistic to expect sensitive data, in the hands of large corporations, to ever be completely secure.

secrets

After the Sony attack, security researcher Steve Gibson remarked on his Security Now podcast on the challenges of securing Sony. Gibson suggested it would be nearly impossible for anyone to secure such massive, interconnected, multi-platform infrastructures. The same is undoubtedly true for large healthcare organizations.

Not to sound all Eyeore about it. I’ve just accepted that my health information, once it leaves my body, is vulnerable to attack. But here’s the good news — maybe no one cares? Sure none of us want our social security number and birthday circulating around. It’s an inconvenience and financial risk. But did anyone really care that Taylor Swift was hacked? Maybe the law of diminishing returns means we, as a society, are bored of hacks. And once we’re board, and there’s no real threat, then the target for the hackers is greatly diminished.

  • Susan Motley

    Hi, Nick! I think I agree with you. My reaction to the three paragraph email I had from the President and CEO of Anthem this morning, with somewhat mock empathy saying hey, I feel your pain, I was hacked too, made me think that out of 80MM people I must at least be in the bottom third of interest for the hackers. The email did kind of irk me though but maybe he was trying to make the same point you are. Thanks for your insight!

  • DavidHarlow

    On the one hand, as i always say, I’m not Beyonce, so I’m not worried. On the other hand, health data hacks are used to perpetrate medical identity theft on a grand scale. And while we don’t know exactly what was taken in the Anthem hack yet (one of this size will depress the market price for a profile on the dark web temporarily), it will lead to losses on the part of Anthem (impostors using medical identity to fill multiple prescriptions for narcotics or, more prosaically, finally get that MRI with contrast), gum up medical records of innocent bystanders (“No, doc, I didn’t fill 6 scrips for oxycontin in two days at 6 different pharmacies, and I’m in serious post-operative pain right now!”), and allow identity thieves to open new financial accounts using stolen identifiers, tanking credit, etc., of innocent bystanders. So it’s not just about those risque photos. It’s serious, but we have been inured to the seriousness of the problem because it just keeps happening.