The Premera Blue Cross hack is a reminder of the treasure trove healthcare data represents to hackers.
Bank account information. Physical addresses. Email addresses. Social Security numbers. Clinical information...All exposed in the latest healthcare cyberattack. This time the target was Premera Blue Cross, a Pacific Northwest health insurer, which reported Tuesday that up to 11 million patient records had been breached.
According to Premera, the breach was discovered on January 29th, the same day that Anthem Blue Cross uncovered a breach affecting almost 79 million customers, although Premera representatives say that the hacks were separate and the breaches were discovered independently. Krebs on Security, however, summarizes some important similarities between the attacks. Investigations are ongoing, but both appeared to use lookalike domain names to deliver malware to unsuspecting employees.
However they got in, and whoever “they” are, the message remains the same: Healthcare data has incredible value, both on the black market and for espionage. The information is detailed, specific, and much harder to detect when used for fraud than credit card data. The Community Health Systems breach revealed last year that affected 4.5 million patients now seems relatively small and we can only expect attacks on healthcare organizations to become more frequent, larger, and more destructive.
Healthcare data is a goldmine for hackers. In the case of both Anthem and Premera, attacks went on for several months without detection. Premera, at the advice of law enforcement, waited six weeks to disclose the breach after it was discovered. Relatively easy targets, longer time to detection, and high-value data all mean bigger payoffs with lower risk for cybercriminals.
Even if payoffs aren’t financial (for state actors engaged in espionage, for example), healthcare data often contains far more actionable information about individuals. Consider that Anthem Blue Cross insures millions of government workers while Premera Blue Cross insures employees at some of the biggest technology companies in the world, including both Amazon and Microsoft.
So what’s the takeaway? Any solution to the vulnerability of healthcare data requires requires a multi-pronged approach:
Although Health Insurance Portability and Accountability Act is the law of the land when it comes to healthcare, HIPAA doesn’t require encryption of internal patient data. Encryption isn’t a cure-all for patient data breaches - If hackers are able to steal the right network credentials (as in Premera’s case), they can still access encrypted data. But it is a significant barrier to hackers and is a worthwhile and reasonable protection. It’s worth noting that Anthem’s patient data was not encrypted.
Network protection begins at the edge, of course, and the right firewalls and intrusion prevention and detection systems are critical. As we’ve seen, though, many attacks function by infiltrating the network with stolen credentials, meaning that internal network firewalls and robust systems that can detect unusual activity or exfiltration efforts can limit a hacker’s reach once inside the network. Comprehensive endpoint protection provides an additional layer of security while dedicated email gateways can detect many of the more sophisticated phishing schemes that entice employees to provide personal data and login information.
All too often, employees are the weakest links in the security chain. Spear phishing attacks look incredibly legitimate, as do many so-called watercooler attacks (often fake websites that resemble trusted sites, like prennera.com, which researchers believe may have been used to gather information from Premera employees). Employees need to be absolutely aware that they won’t ever be asked for login credentials or personal information via email and should understand precisely which systems are legitimate corporate tools and which are potentially worrisome. When in doubt, employees should never hesitate to ask and should be actively encouraged to do so.
This last takeaway may be the hardest to implement in healthcare because cybersecurity has taken a back seat to data management and basic regulatory compliance for a long time. Ecosystems haven’t been built as rapidly to address healthcare specific threats. But the notion of situational awareness is especially important in healthcare as the number and scale of attacks increase. In the context of healthcare, situational awareness involves several components:
- A complete understanding of all of the components of an organization’s information systems. These systems include hardware, endpoints, EHR applications, and the variety of external systems that connect to internal data and applications. Insurers, for example, have countless providers, third-party billing companies, patients, etc., connecting to their systems.
- Vulnerability assessment: Situational awareness also requires an understanding of where organizations might be vulnerable. Although this seems obvious, because of the large number of potential vectors and exploits in many healthcare settings, organizations will need to prioritize these vulnerabilities and their mitigation efforts.
- Relevant threat intelligence: Who is targeting healthcare now? What vulnerabilities are they exploiting? What sorts of attacks are they using? Healthcare organizations are subject to all of the same malware in the wild as their counterparts in other markets, but the value of their data means that they will be specific targets. If a vulnerability is uncovered in a particular EHR system, for example, users of that system need to know immediately and move to mitigate the threat.
- Mission awareness: Security researchers have begun talking about organizational resiliency. Attacks are going to happen and they are going to be sophisticated and severe. If your systems needed to operate at 60% capacity while you dealt with an attack, which systems are absolutely mission critical? This is cybersecurity triage and organizations need to be ready to make tough choices to protect their data.
To continue the conversation, please stop by the Fortinet booth #7678 at HIMSS15 to speak with any of our Fortinet Healthcare and Network Security experts.