The latest revelation of a
cyber-attack on a health insurer - this time Excellus BlueCross
BlueShield - illustrates why it's so important for healthcare
organizations to frequently scrutinize systems for intrusions. The Excellus breach, which potentially
exposed information on 10.5 million individuals, was discovered on Aug. 5 but
apparently dates back to December 2013. Earlier, insurers Anthem
Inc., Premera Blue Cross and CareFirst Blue Cross Blue
Shield also reported massive breaches that went undetected for extended
periods. The four breaches combined potentially exposed information on more
than 100 million individuals. The
frequency of breaches in the healthcare industry shows that cybercriminals
are targeting the sector.
Primary Motives
So, what's the likely
motivation for the string of attacks on health insurers?
Insurance records are rich
in personal health information, making them exploitable for insurance fraud and
prescription fraud. There is more
sensitive information being leaked, which in turn provides attacker an added
incentive into selling that information. The disclosure of Social Security
numbers and other data points such as income, employment status and birth dates
allow criminals to create numerous fraudulent credit card accounts, causing the
victim additional fallout that can continue for many years to come.
One theory that some experts
offer is that over the past 12 to 18 months, attackers operating from China
have been hacking multiple sources to build databases of information relating
to U.S. residents, potentially for espionage purposes. But others caution that
attributing the source of any cyber-attack is tricky.
Excellus Breach
The attack on Excellus was
discovered on Aug. 5 after the health insurer, which is based in Rochester,
N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the
company's IT systems in the wake of multiple health insurers belatedly
discovering that their systems had been breached and member data stolen,
according to a company spokesman. Forensic experts have determined that the
cyber-attack on Excellus began in December 2013, the spokesman says.
Although the affected data
was encrypted, the hackers gained access to administrative controls, making the encryption moot,
the company spokesman says.
While health plans,
especially those affiliated with Blue Cross Blue Shield, appear to be a huge
target for hackers, other segments of the healthcare sector are also in the
bullseye. For instance, in July, healthcare provider UCLA
Health revealed that a cyberattack on parts of its network compromised
personal information of 4.5 million patients. UCLA Health says it appears that
the attackers may have had network access as early as September 2014.
Healthcare providers are
just the latest targets in the information battle with malicious adversaries.
Financial service and defense contractors have been battling these adversaries
for years. The lessons learned that can be applied to health insurers is to
evaluate the value of the information being stored and focus the most stringent
security controls around that data. For health insurers that is the personal
information of clients.
First and foremost, make
certain you are handling the basic blocking and tackling - for example,
employee security training, access control and configuration management -
before you try to do anything more sophisticated. Many breaches come through
phishing, an exploited vulnerability or username/password theft.
No comments:
Post a Comment