Hacker Attacks: Not Just Insurers at RiskAnalysts Ponder Who Could Be Targeted Next
The recently revealed breach of a database at CareFirst BlueCross BlueShield containing information on more than 1.1 million individuals is the latest evidence that hackers are targeting health insurers, and especially Blue Cross and Blue Shield organizations, for the vast amount of protected health information they hold. Security experts warn, however, that other types of organizations, including health information exchanges and large integrated delivery systems, as well as hospitals with electronic health records systems, could be the next targets.
Health insurers "are known to have very large databases of rich personal data that can be sold for identity theft purposes and fraud," says privacy and security expert Kate Borten, founder of The Marblehead Group consultancy. "Midsize and large healthcare provider organizations should also be on high alert for the same reason."
Baltimore-based CareFirst BlueCross BlueShield disclosed on May 20 that an "unauthorized intrusion" into a database dating back to June 2014 resulted in a breach affecting 1.1 million individuals. Other Blues plans that have recently reported cyber-attacks are Anthem Inc., which says its breach impacted 78.8 million individuals, and Premera Blue Cross, which says 11 million were affected by its hacking incident.
Katherine Keefe, who heads breach response at the cyber-insurance company Beazley plc, predicts that health information exchange organizations, due to the large volume of data they handle, as well as electronic health record systems at hospitals - which are often configured to provide easy access to harried clinicians in healthcare settings, could be the next targets for hackers.
"The goal of EHRs in a hospital setting is to help make clinical decision-making more efficient and effective, and provide access to clinicians who need this information quickly," she says. Also, role-based access controls, advanced authentication, and encryption aren't typically part of the equation for many of these systems, she says. "That technology is perceived to slow down access for clinicians, who'd rather err on the side of good clinical decisions," rather than worry about data breaches, she adds.
One reason why health insurers have proven to be prime targets for hackers, Keefe says, is that many of these companies have grown rapidly through mergers and acquisition, with a patchwork of systems and security practices and "treasure troves" of data.
That's also true for many large integrated healthcare delivery systems, she adds. "There's been a lot of consolidation in the healthcare industry," she notes. For instance, Community Health System, a provider organizations that last August revealed a hacker breach affecting 4.5 million individuals, has also grown in recent years through mergers and acquisitions, she says.
Meanwhile, some health insurers also boast about the tens of millions of enrollees they cover, which also catches the attention of cybercriminals, Keefe says. "It's like saying, 'come and get us'," she says. Data security needs to be "more front and center" at many healthcare organizations, she stresses.
While Blue Cross and Blue Shield affiliates, such as Anthem and Premera Blue Cross, are independent companies, they are linked together through the Blue Card program, in which these plans process each other's members' insurance claims, Keefe says.
"The Blue Cross Blue Shield [network] is simply so large that they are a 'rich' environment filled with some of the most valuable data when it comes to identity theft," says Brad Cyprus, chief of security and compliance at Netsurion, a provider of cloud-based services. "It is also possible that by being one of their affiliates, there is some common technology that has an issue that has not been identified or fixed.
"However, hackers are very much like sharks smelling blood. When one successful attack happens and sensitive data is exposed, every other hacker starts focusing on those systems in an effort to reap some rewards before things are fixed while potential vulnerabilities are still exposed. In BCBS's case, that leads to a perfect storm for continued attention from the hacker community."
In the CareFirst breach, it appears that segmentation of information helped minimize the amount of data the hackers were able to access. And that's an important lesson for others to learn, security specialists say.
"Segmentation of information is the name of the game in our modern threat landscape," says Marcin Kleczynski, CEO of Malwarebytes, a provider of anti-malware solutions. "Attackers are constantly increasing their ability to compromise secure networks, be it through new technologies or old- fashioned social engineering. To that end, treating a breach less like an 'it won't happen to me' scenario in favor of a stance that expects it can help those who are charged with securing the information make a more effective battle plan."
CareFirst, in a statement on its breach information website, says the attackers gained "limited, unauthorized access to a single CareFirst database." It notes: "Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst's website, as well as members' names, birth dates, email addresses and subscriber identification number. However, CareFirst user names must be used in conjunction with a member-created password to gain access to underlying member data through CareFirst's website.
"The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no member Social Security numbers, medical claims, employment, credit card or financial information."
CareFirst said the intrusion occurred in June 2014, but wasn't discovered until April 2015 after the insurer commissioned forensics vendor Mandiant to do a security review of the health plan's systems. Keefe of Beazley notes, however, that delayed breach discovery is common.
"Security technology is trying valiantly to keep up with hackers. Malware has the ability to cover its tracks, and often morphs into something that's hard to detect," she says. Nonetheless, many healthcare sector entities, "need to re-order their priorities" and allocate more resources to breach prevention and detection, she adds.
Security and privacy expert Rebecca Herold, CEO of The Privacy Professor, notes: "I believe it is almost a certainty that many covered entities and business associates are hacked and don't know it. From what I've seen in the largest of hospital systems down to the one-doctor healthcare clinic, and in many healthcare insurance companies, there are often large numbers of PHI repositories that do not have access logs established."
Too many organizations have little to no network monitoring, a lack of comprehensive risk management practices, and too few security tools, including those for detecting security problems and logging access for everywhere PHI is stored, she says.
"Also, a lack of proper funding for security, and lack of ongoing training for information security staff," contribute to the problem, she notes. "Health insurance executives need to realize that is it significantly less expensive to invest more in information security than it is to continually clean up after privacy breaches; information security cost is a fraction of the costs of breaches."
CareFirst did not respond to a request by Information Security Media Group for comment.