The security breach against Anthem Blue Cross Blue Shield was the latest in a long line of data breaches affecting large organizations. Although there has been much media speculation regarding the attack, it is clear that the breach was very severe on two counts: the number of individuals impacted (80 million subscribers) and the severity of the compromised data (names, dates of birth, member ID’s, Social Security numbers, addresses, phone numbers, email addresses and employment information). At this time, media reports indicate that no evidence exists proving client data has been exploited.
Beyond the hype and sensationalism, Anthem’s security dilemma is no different than what any other large organization would face if breached. It is how an organization handles the situation (commonly referred to in the security industry as an Incident Response 1) that makes a difference to the public and within the healthcare industry. It becomes a lesson in how organizations respond in similar situations.
There is speculation that the Anthem case was a very sophisticated attack, though uncertainty remains since the investigation is still underway. What is known is that a database administrator discovered his credentials were used to run a questionable query, one he didn’t initiate. Two days later, Anthem alerted federal authorities through HITECH that the incident was in fact a breach, and that as many as five administrators experienced compromised accounts.
There is also speculation that the attack originated from China and was requested by the Chinese government, according to a Washington Post 2 story on February 5, 2015. While there has been evidence that China has conducted cyber-attacks in the past, there is no evidence to date that they are responsible for this particular breach.
An attacker would typically use vulnerabilities in Java, Linux, IIS, Apache, Windows or even Adobe to exploit and find a way into a critical system. However, cyber criminals can also obtain access through Social Engineering.3 It is unlikely that any security administrator would give their user-id and password to a stranger, which leads to a more likely scenario: a phishing attack. In today’s world of social media networks like Facebook, LinkedIn, Google and more (even resumes posted online), it is very easy to target a company and its employees by “phishing” for information about the type of technology used and who administers it. We’ll touch on this more in a minute.
It’s all about the data
Healthcare-related breaches can be expensive and, more importantly, life-threatening. A Criminal can apply for a credit card with a limit of a few thousand dollars, but can use a stolen identity to obtain healthcare services worth hundreds of thousands of dollars.
According to a Ponemon study, approximately 1.8 million Americans were victims of medical identity theft in 2013 and 36% faced significant out-of-pocket expenses as a result.4
Access to protected health information (PHI) allows cybercriminals to incur medical expenses, place prescription drug orders or even alter a patient’s medical history. According to the Identity Theft Resource Center,5 the healthcare industry experienced more protected health information data breaches in 2013 than ever before, accounting for 44% of all breaches nationwide. Why the increase? Medical identity information is significantly more valuable than credit card numbers or social security numbers alone. According to the World Privacy Forum,6 the former has a street value of around $50 compared to a street value of $1 for credit card information. The average profit per medical record is $20,000 compared to just $2,000 for regular identity theft.
This new and emerging trend of healthcare cybercrime takes twice as long to detect and is difficult to address. Bank accounts can be closed and credit cards re-issued, but correcting medical records is far more complicated. The healthcare industry does not have the level of monitoring and fraud detection than that of the financial sector.
There are three main ways criminals exploit the industry’s weakness:
- Classic medical identity theft, in which fraudsters print fake ID’s and obtain medical care.
- Billing fraud, in which fraudsters establish fake clinics and bill payors for services and treatments never received.
- PHI theft, in which medical information is used to order prescription drugs which are then resold on the street at significantly higher prices.
Let’s go phishing
By using a more persistent and believable phishing approach (termed “spear phishing attacks” 7), in combination with social engineering attacks, cyber criminals can identify and exploit vulnerabilities. It is possible that the data breach was a result of a spear phishing attack, in which the hacker(s) identified vulnerability in Anthem’s system, installed a keystroke logger or extended session, and obtained the administrator’s credentials. Only the results of the final investigation will tell.
Healthcare organizations which fall victim to this type of breach will subsequently spend millions to audit their environment, install additional security technologies and alter security procedures. Further, they will continue to spend millions on credit fraud monitoring for clients over the next several years and face lawsuits as the investigation continues.
On February 10, 2015, the Attorney Generals of 10 States sent an official letter 8 directly to the Anthem CEO Joseph Swedish complaining about the “lack of response” to their constituents and the need for reassurances from the company. The letter was sent within 24 hours of Anthem’s Incident Response plan by Connecticut Attorney General George Jepsen on behalf of other AG’s in Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.
Companies like Anthem, Sony, Target, Home Depot and others who have been hacked typically scramble to initiate Incident Response measures because processes are often not fully documented or tested. Preparing an Incident Response plan is not just an IT function; rather it crosses the boundaries of Legal, HR, Marketing/Communications, and in the case of Anthem, Regulatory Compliance operations.
Legislation on cyber attacks is underway at both the State and Federal levels. For example, the New York Department of Financial Services (NYDFS) just recently launched cyber security assessments for insurance companies 9 in the state. Along with the cyber security exams, NYDFS says it will "put forward" enhanced regulations requiring insurers to meet heightened standards for cyber security.
However, this is just the start. Similar to the banking industry in the 1990’s, the healthcare industry will need to drive new security technologies around Healthcare Cyber Security. Although HIPAA, HITECH and Meaningful Use regulations are currently in effect, they do not include the same technology standards as Payment Card Industry (PCI), Financial Industry Regulatory Authority (FINRA), or even Sarbanes-Oxley Act (SOX) regulations in the financial services sector.
The healthcare industry should follow in the financial sector’s footsteps and strengthen its security around real-time threat management and big log data analytics. Common security terms such as “Intrusion Detection/Prevention” 10, “Identity Access Management” 11 and “Security Event Management” 12 emerged as a direct result of changes in the financial sector. The sheer number of financial industry “checks and balances” has dramatically reduced fraud. The growing pains are similar and the data has a high dollar value in both industries. Hopefully the attack against Anthem serves as fair warning for other healthcare organizations.
To discuss how the Continuum Health Platform can help protect personal health information within your practice, group or hospital/health system, please contact: Devon Swanson, (856) 782-3300 ext. 2419 or [email protected].