Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Anthem Breach Sounds a Healthcare AlarmGuarding Against Hackers Now an Urgent Concern
The announcement from health insurer Anthem Inc. that a hacking incident compromised a database reportedly containing personal information for up to 80 million individuals makes it crystal clear that the healthcare sector has become a new favorite target for hackers.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"The lesson to be learned from this incident is that outsiders see great value in the data maintained by healthcare providers, health plans and business associates," says attorney David Holtzman, vice president of compliance at security consulting firm Cynergistek. "Organizations must be proactive in evaluating their networks and scanning for gaps in the safeguards to their data."
In the wake of the Feb. 5 revelation of the breach, the healthcare industry is anxiously awaiting more details about the nature of the attack. A senior White House official and lawmakers are saying the incident is part of a disturbing trend of massive data breaches impacting consumers' information. And security experts say the incident could be a strong catalyst for healthcare to ramp up data security to catch up to other business sectors.
Anthem told the Los Angeles Times that suspicious activity was first noticed and reported Jan. 27. Two days later, an internal investigation verified that the company was a victim of a cyber-attack. The affected database was not encrypted, according to the news report.
Some news reports are already pointing the finger at Chinese hackers as the possible culprits in the Anthem attack. But in this early stage of the investigation, security experts urge skepticism about attribution (see: Anthem Breach: Chinese Hackers Involved?).
Biggest Healthcare Breach?
When details of the Anthem breach are confirmed, it's highly likely the incident will rank as the largest health data breach since enforcement of the HIPAA breach notification rule began in September 2009 (see Update: Top 5 Health Data Breaches). The federal tally of major healthcare breaches now lists an incident involving the military health plan TRICARE and affecting 4.9 million individuals as the biggest breach. And the largest hacking attack in the healthcare sector, before Anthem, was an incident involving Community Health Systems last summer, which affected 4.5 million individuals.
A spokeswoman for the Department of Health and Human Services' Office for Civil Rights, which oversees HIPAA enforcement, confirmed to Information Security Media Group that the Anthem incident has not yet been reported to OCR, although the incident would qualify as a breach under HIPAA, based on the type of information the company says was exposed.
Anthem says compromised information includes current and former members' and employees' names, birthdays, medical IDs/Social Security numbers, street addresses, e-mail addresses and employment information, including income data.
"Any organization that holds sensitive data is at risk," the OCR spokeswoman says. "This is why it is so important that HIPAA covered entities and their business associates assess and address the risks to the ePHI. Organizations should conduct a careful review of their risk analysis and risk management plans to ensure that appropriate safeguards are in place to address the threats and vulnerabilities to individuals' data."
The massive Anthem incident immediately caught the attention of top U.S. government officials. White House cybersecurity czar Michael Daniel - officially a special assistant to the president and cybersecurity coordinator - touched on the Anthem breach in a Bloomberg-hosted webinar on February 5 devoted to the Obama administration's cybersecurity agenda.
"Obviously it's quite concerning that we would have yet another intrusion of this size, following on what some people have referred to, 2014, as the 'Year of the Intrusion' or the 'Year of the Hack,'" Daniel said, noting that he is also a potential victim of the Anthem breach.
While Daniel confirmed that the FBI is investigating the intrusion, he declined to comment further on the breach, noting that it was still "early on" in the investigation. "I'm sure we'll be learning a lot more over the next few days as we dig in, and learned what happened to them," he said.
But Daniel did offer this advice to consumers who may have been affected: "Watch your credit score and your identity tracking. Obviously maybe change the password you use that's associated with that, which would include me."
White House Cybersecurity Coordinator Michael Daniel discusses Anthem breach.
Some members of Congress were also quick to weigh in about the Anthem breach.
"Alongside the recent cyberattack on Sony, the hacking of Anthem shows the urgent need to improve our nation's cybersecurity infrastructure," says Rep. Devin Nunes, R-Calif., chairman of the House Permanent Select Committee on Intelligence.
Rep. Lynn Westmoreland, R-Ga., Chairman of the Intelligence Committee's NSA and Cybersecurity Subcommittee, said: "The Anthem hack shows the immediate need for enhanced cybersecurity measures, for both national security purposes and to protect our citizens. The hackers have exposed the weaknesses in our current system, and have jeopardized sensitive and personal data. I find this breach is unacceptable and will work hard to review and strengthen our nation's cybersecurity laws to improve our defenses against cyber attacks."
The Anthem breach will be "a game changer" because it could potentially affect 25 percent of the U.S. population, says Rebecca Herold, partner and co-owner of HIPAA Compliance Tools and CEO of The Privacy Professor. "This could establish a starting point for state attorneys general taking more action to enforce HIPAA, given the vast proportion of the population involved," she says.
Anthem CEO Joseph Swedish portrayed the breach incident as a "very sophisticated external cyber-attack." But not everyone is buying that explanation, based on the company's track record.
"Call me a skeptic; I am not yet convinced that this was the result of a sophisticated attack on a high-value target," says Holtzman, a former senior adviser at the Department of Health and Human Services' Office for Civil Rights. "Recall that in 2013 ... Wellpoint Inc. [now called Anthem] settled with OCR for $1.7 million over allegations of improper safeguards for e-PHI," he notes. "The evidence in that incident was that over a period of more than six months, Anthem BC/BS of California allowed unauthorized access through its online health insurance application portal. The cause was found to be technical modifications performed to applications associated with the website had not been tested or checked to see if they performed as intended. The critical gap it created allowed outsiders - today we call them hackers - to access the information system."
Why Healthcare Is Vulnerable
The Anthem incident reinforces that healthcare needs to shore up its approach to cybersecurity, says Michael Yamamoto, manager of information systems security at Beth Israel Deaconess Medical Center in Boston. "We need to strengthen information security, policy, and technology; detect and respond faster; and educate stakeholders, protecting the valuable information we're entrusted with," he says. "This breach serves as a reminder of that duty."
David Kennedy, CEO of security consulting firm TrustedSec, says hackers are now shifting gears to target healthcare because other industries are more secure. "The medical industry really needs to step it up and protect their personal information. Having access to 80 million individuals personal information is bad," he says. "A breach can occur to anyone, but there needs to be better protection around consumer data."
It's not just large companies like Anthem - which is the second largest health insurer in the U.S. - that need to be on heightened alert about the threat hackers pose, says Cynergistek's Holtzman.
"All organizations that maintain health information, patient claims and payment data are high value targets," he says. "The risk is that small and medium-size organizations may become jaded into thinking they are too small to of interest to cybercriminals or insiders who want to steal their information."
Kennedy of TrustedSec calls on healthcare organizations to use "appropriate and proven technologies such as hashing, encryption, and other methods to protect information. ... There are practices that, if followed, can make it extremely difficult for a hacker to compromise an organization. It's about going back to good practices, and the fundamentals."
Mathew J. Schwartz, managing editor, and Jeffrey Roman, news writer, contributed to this article.