Premera Blue Cross revealed earlier this week that it was the target of a cyber attack last year that may have affected 11 million customers. The attack is the latest healthcare data breach following a cyber attack on health insurer Anthem in February 2015, which may have affected 80 million people.
This most recent incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions, Inc. The Premera breach is particularly troubling on several fronts. First, because of the type of data that was compromised. While the Anthem breach exposed sensitive information such as names, addresses, birthdays, income information and social security numbers, in the Premera attack, hackers gained similar information but also stole even more sensitive data regarding patient health information (PHI), including patient histories, claim information and clinical information dating back to 2002.
PHI data is valuable on the black market because it is very personal static data which allows hackers to easily steal someone’s identity.
Second is the delayed time to detection and subsequent announcement of the breach. Premera reports the data breach occurred in May 2014, though it was not discovered until January 29, 2015. It is extremely troubling that it took eight months for MTTD (mean time to detection). Companies must do much better than this in reporting breaches quickly to better protect customers.
Third, who’s behind these attacks? There are several indicators that point the finger at the Chinese including analysis from malware samples that are consistent with those associated with Chinese APT activity. Several computer security companies have identified data that indicate the hackers’ identity might be a Chinese government-sponsored gang.
Security blogger Brian Krebs theorizes that the hackers appear to be a group known as Deep Panda and Group 72 – the same group that likely penetrated Anthem. While the FBI or Mandiant has not publicly validated these claims, there is agreement that the perpetrators are Chinese.
Impacts: Potential Uses of Healthcare Data
With many data breaches, the assumption is often that the intention is merely to sell that information on the black market to identity thieves. However, with some intelligence agencies speculating that the Chinese government could be funding these groups, the end game could be much more serious. The data stolen could be used with social engineering with the goal of infiltrating US Government agencies and technology firms.
In the case of Anthem, over half of the Federal workforce are Anthem members, while Premera insures a large number of top technology companies, including Microsoft, and Amazon. In either case, information gleaned from the breaches could be used to reset account passwords for Federal or tech employees. In the case of tech firms, thieves could parlay the information stolen to facilitate intellectual property theft.
Adapting to the New Normal
Both healthcare insurers shy away from responsibility, referring to themselves as “victims of sophisticated cyber attacks”. But is this really a fair characterization? The reality is this environment should be considered the “new normal”. Security professionals should consider these types of attacks are imminent and not the exception.
The healthcare industry needs to accept that it is on them to anticipate these threats, and to adequately prepare for them.
1. Employ Stronger Authentication
We recommend using multi-factor authentication, or even token-based authentication. This is particularly important for reducing vulnerabilities that exist with remote access.
2. Utilize Better Encryption
While stronger encryption is an important way to safeguard data, it’s only effective when paired with careful key management. The devil is in the details and the execution of stringent key management is necessary or the encryption becomes useless.
3. Improve Anti-Phishing Controls
Companies need to do a better job of training employees how to spot phishing attempts. This is the easiest entry point for thieves. It is well worth the time to implement training programs. The most effective method utilizes programs that are set up internally to mimic phishing attacks. This has been shown to be very effective at raising awareness of how to spot phishing attacks and train employees on how to avoid them.
4. Enact Network Segmentation
This is another method companies can use to silo more sensitive data behind more stringent security controls in conjunction with multi-factor authentication.
5. Add Monitoring Systems
By implementing monitoring systems you are able to more quickly detect and respond to attacks. Faster MTTD (Mean Time to Detect) translates into faster MTTR (Mean Time to Respond) and allows you to isolate and minimize the damage.
Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.
On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense services. Contact us today!