The theft of 80 million healthcare records will cost Anthem Blue Cross more than $100-million, and payment companies are also under threat since the incident may result in a spike in false card accounts.
A stolen password allowed hackers to get into an Anthem database that stored client and employee records, including Social Security numbers that were not encrypted, according to The Wall Street Journal.
The Anthem breach, which is considered one of the largest cyber breaches in U.S. history, also allows criminals to create an unlimited number of false identities to open credit card accounts or bank accounts with the intent to steal or launder money.
While the payments industry has had a number of recent data breaches, its anti-fraud technology and strategy are more advanced than many other industries, said Richard Moulds, vice president of strategy and product management for Thales e-Security.
"We do a lot of outreach to the health-care industry about data security, and we tell them to look at what the payments people do," Moulds said. "It's not perfect, but the payments industry has a pretty tight record when you consider all of the banks, processors and payment engines out there."
For example, the payments industry has the Payment Card Industry data security standards, a fraud-prevention step that no other industry has in place, Moulds said.
"Some very sophisticated security people put PCI-DSS together, but these other industries shouldn't look at that as payments specific," Moulds added. "You can adopt these methodologies into other industries to secure most any form of data."
Industries need to require data encryption, Moulds said, adding it is equally important to properly deploy encryption through a system in which the encryption keys are secure and have limited access, Moulds added.
"Most organizations don't have very mature processes for keeping secrets," Moulds said. "That's not just a security problem, it is an operational problem and a state of conflict within most organizations."
The PCI Security Standards Council requires merchants to store encryption keys in a hardware security module (HSM), or be left off of PCI's list of approved vendors.
Non-payment companies should get more security attention as the payments industry migrates to EMV chip-based cards at the point of sale in the U.S. Payment security efforts are focused on online payments, which are not protected by EMV, but breaches in other industries can lead to stolen personal data that hackers can use to compromise payment accounts.
As such, the threat is spiking for healthcare and education, said Al Pascual, senior analyst for Javelin Strategy & Research. The health care and education industries are just now "coming around" to understanding the complexities of protecting data in a digitized world, Pascual said.
Universities deal with having many young students with the technical acumen to be involved in system hacking, Pascual said. In the same way, many health care companies have employees with a lot of access to a lot of information. If they are careless with security measures, or inclined to steal data on their own, the result is the same.
"You don't want to call it an 'insider' atmosphere, but when you look at something like the Sony hack, the first thing you do is look at your employees because they have more access to the information than your average Joe," Pascual said.
Though the FBI has accused North Korea as the perpetrator of the Sony hack, security experts say it could have been pulled off by anyone, including a disgruntled employee.
Even though PCI data security standards are "primarily geared for external threats," there are controls for keeping card data out of the hands of those who work at businesses that accept card payments, Pascual said.
Other industries need to take that cue in addition to using encryption and monitoring identification and access for vendors, Pascual added. "There are things that scale across industries."