As daylight dwindled Tuesday, Mountlake Terrace, Wash.-based health insurer Premera Blue Cross announced that it was the victim of a major cyberattack, which may have exposed medical data and the financial information of nearly 11 million customers. The healthcare sector is especially susceptible to attacks—much more so than financial institutions—due to its apparent complacency and inexperience in dealing with such threats, SurfWatch Labs chief security strategist Adam Meyer told DC Inno.
.@premera been the victim of a sophisticated #cyberattack. Summary of what we know and credit monitoring provided: http://t.co/1mzzfZ90s4
— Premera Blue Cross (@premera) March 17, 2015
The efforts and influences of the Affordable Care Act further illustrates an interesting microcosm of digitizing health data. Though it may be leading to better sharing of information across healthcare networks, it has also increased its cyber risk exposure. The issue is that, while the ACA may be good for patient care, the agency and those accountable for its security need open their eyes and treat cybersecurity as a part of their enterprise risk management program, according to Meyer.
Approximately 100 million medical records have been breached in the last year — greater in individual consumers who were influenced than the Target and Home Depot data breaches combined. But unlike payment information—in the form of credit card information—privacy and health information cannot be easily change. A customer cannot reset their name, DOB, SSN and address the way that one can with payment information.
Meyer puts it this way: “As the financial sector increases their cyber defense abilities attackers are naturally going to pivot to a softer target and Healthcare is that softer target. Unfortunately many healthcare organizations still base their security programs off of compliance and regulatory efforts and not focused on risk exposure.”
The attack follows in the footsteps of the Anthem Insurance data breach, which occurred only one month ago, exposing the information of nearly 79 million people. Analysts have already begun to draw conclusions on probable ties and the similar technique used to infiltrate the system. The not-for-profit health insurer said it detected the breach on Jan. 29, but the incursion may have initially occurred last May. Some of Premera’s major clients include Microsoft and Starbucks. The cyberattack is now subject of an FBI probe, meaning that details concerning the attack will remain undisclosed.
“Based on the timeframes used as well as the methods being reported so far they appear to have enough similarities to raise an eyebrow for sure. There is speculation the Chinese-sponsored hacking group known as (among other names) ‘Deep Panda’ may be behind the attack,” Meyer said.
Anthem spokeswoman Kristin Binns has said that “there is no evidence to indicate our members’ data has been used inappropriately as a result of this attack. We have no evidence at this time that fraud has occurred.” But Meyer pointed to another concern that may override the importance of attribution, “if a criminal is using your name, DOB, SSN and address to take out a fraudulent loan for example how would anyone know where that information originated from? Maybe this is a Deep Panda event and the motive is not financially driven but also maybe it’s not, the fact still remains that it happened and there will be another one to come.”
Malware signatures used in the Anthem hack have been spotted in another piece of malicious software connected to the Web address prennera.com — a faux domain registered in December 2013. The address is a clear misspelling of premera.com used to misdirect users before a trojan more than likely comprised their local system, Meyer told DC Inno. As the SurfWatch CSS put it, “You don’t need to hack the ‘front door,’ especially with such a large base of employees who are vulnerable to phishing scams.”
“I believe for the foreseeable future they [healthcare insurers/providers] will continue to be a target and it will remain so until the culture changes from treating this as a pure regulatory or compliance effort and into a business resilience and enterprise risk issue. Regarding legislation and regulation, I think time will tell, we may find that a combination of regulatory impacts as well as market impacts i.e. losses from the breach as well as litigation impacts may be enough of the proper motivation for some culture change.”
