The latest revelation of a cyber-attack on a health insurer – this time Excellus BlueCross BlueShield – illustrates why it’s so important for healthcare organizations to frequently scrutinize systems for intrusions, security experts say.
The Excellus breach, which potentially exposed information on 10.5 million individuals, was discovered on Aug. 5 but apparently dates back to December 2013. Earlier, insurers Anthem Inc., Premera Blue Cross and CareFirst Blue Cross Blue Shield also reported massive breaches that went undetected for extended periods. The four breaches combined potentially exposed information on more than 100 million individuals.
“The attack on Excellus is related to attacks on Anthem, Premera and Carefirst in that this is clearly a hacking campaign against insurers,” says Dan Berger, CEO of the security consulting firm Redspin. “The large concentrations of data that they store on their millions of members make them prime targets for hackers. As I often say, ‘hackers phish where the fish are. I would say it is highly likely that all of the Blues have been targeted.”
The frequency of breaches in the healthcare industry shows that cybercriminals are targeting the sector, says Jay Schulman, managing principal at security software firm Cigital. “Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren’t obvious to the organization,” he notes.
“It’s not only about building effective software that adheres to compliance standards; healthcare organizations also need to build security in so that applications and software can tell you when something is going wrong,” Schulman stresses.
So, what’s the likely motivation for the string of attacks on health insurers?
“Insurance records are rich in personal health information, making them exploitable for insurance fraud and prescription fraud,” Berger says.
Any organization holding sensitive personal information is a potential target for hackers, says Philip Casesa, director of product development and portfolio management at (ISC)², an information security professional certification organization. “We’re learning, through the discovery of this year’s inventory of breaches, that an identity breach can essentially be far more damaging than that of a credit card breach,” he says.
“There is more sensitive information being leaked, which in turn provides attacker an added incentive into selling that information. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow criminals to create numerous fraudulent credit card accounts, causing the victim additional fallout that can continue for many years to come.”
Some security experts, including researchers at threat intelligence product and services vendor ThreatConnect, claim they see signs that the recent U.S. Office of Personnel Management hack attack, which affected more than 22 million current and former government workers, is connected to the breach of healthcare insurer Anthem (see OPM breach: Unanswered Questions.)
One theory that some experts offer is that over the past 12 to 18 months, attackers operating from China have been hacking multiple sources to build databases of information relating to U.S. residents, potentially for espionage purposes. But others caution that attributing the source of any cyber-attack is tricky.
“The attacks on personal information from insurers like Anthem, Premera and the government, in the case of OPM, are unprecedented,” Casesa says. “The speculation that foreign governments are capturing this information and mining it for exploitation opportunities is frightening. Failures to protect this personal information has left our citizens at risk for identity theft, extortion and health insurance fraud. It’s too early to tell if these attacks are related, but the potential risks to those exposed are the same either way.”
As for health insurers, what are potential weak spots making these companies easy targets for hackers?
“If technologies are shared, such as claims processing systems, attackers could be exploiting vulnerabilities common to all Blue Cross Blue Shield organizations using that technology,” says security and privacy expert Kate Borten, founder of consulting firm The Marblehead Group. “However, I wouldn’t be surprised if attackers are simply exploiting various network vulnerabilities at each organization. Keeping networks secure is a constant challenge as the bad guys become increasingly sophisticated and/or use more sophisticated tools.”
The attack on Excellus was discovered on Aug. 5 after the health insurer, which is based in Rochester, N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the company’s IT systems in the wake of multiple health insurers belatedly discovering that their systems had been breached and member data stolen, according to a company spokesman. Forensic experts have determined that the cyber-attack on Excellus began in December 2013, the spokesman says.
Although the affected data was encrypted, the hackers gained access to administrative controls, making the encryption moot, the company spokesman says.
While health plans, especially those affiliated with Blue Cross Blue Shield, appear to be a huge target for hackers, other segments of the healthcare sector are also in the bullseye. For instance, in July, healthcare provider UCLA Health revealed that a cyberattack on parts of its network compromised personal information of 4.5 million patients. UCLA Health says it appears that the attackers may have had network access as early as September 2014.
“Healthcare providers are just the latest targets in the information battle with malicious adversaries,” Casesa notes. “Financial service and defense contractors have been battling these adversaries for years. The lessons learned that can be applied to health insurers is to evaluate the value of the information being stored and focus the most stringent security controls around that data. For health insurers that is the personal information of clients.”
Richard Barger, chief intelligence officer at ThreatConnect, says health insurers and other organizations should be taking steps now to defend against cyber-attacks.
“First and foremost, make certain you are handling the basic blocking and tackling – for example, employee security training, access control and configuration management – before you try to do anything more sophisticated. Many breaches come through phishing, an exploited vulnerability or username/password theft,” he says.
Knowing who is targeting you and how, before the incident ever occurs, is the best defense, he adds. “By joining a threat intelligence community, subscribing to intelligence feeds or even just aggregating all of your own data or analysis, you can metaphorically watch ‘game footage’ of your adversary, understand their capabilities and infrastructure, and then create a playbook to line up your defense against them.”