Anthem Breach: Warnings, Lessons for Healthcare Organizations
Hackers are increasingly targeting organizations that house medical data — and the consequence of a breach are steep. Heres what CIOs need to know about the biggest insurance data breach and what they should be doing to protect sensitive files.
The FBI is still investigating the potential causes of yesterday’s widely reported data breach at Anthem, the nation’s second-largest health insurer. There is still no clear indication who perpetrated the attack, how they did so, or what could’ve been done to stop it, but informed sources point to a number of strong possibilities on all counts.
Investigators say that the breach of as many as 80 million customer and employee records at the company, which provides health insurance coverage to one in nine Americans, bears the hallmarks of Chinese state-sponsored hackers, and that they may have been after personal information such as Social Security numbers, as opposed to financial information like credit card numbers.
“Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised,” said Joseph R. Swedish, Anthem’s president and CEO, in a statement. Inquiries to Anthem and Mandiant, the cybersecurity vendor it contracted to help clean up the mess, were not returned in time for publication.
Industry experts say that efforts to steal data records from insurers and other healthcare providers, already an onslaught, will only get more intense in the coming year. According to Russ Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME), an association of healthcare CIOs, there are small community hospitals that are currently facing between 20,000 and 30,000 attempts a week to breach their security measures and compromise their networks.
The motivation for these attacks is primarily economic. On the black market, a pilfered credit card file can be sold for between 10 cents and 25 cents each, explains James Mapes, the Chief Security Officer at IT consultancy BestIT. But a stolen medical record, which contains more information, has a much longer life span and can be used to perpetrate a variety of frauds including identity theft, sells for anywhere between $100 and $300 a record.
This was reflected in a 2014 warning from the FBI’s Cyber Division that healthcare systems were at increased risk for cyber intrusions “due to mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market.”
The warning was prescient, as 2014 became a landmark year for health data intrusions, with healthcare organizations accounting for about 42 percent of all major data breaches reported in the U.S. last year, according to the Identity Theft Resource Center. These breaches are costing the healthcare industry as much as $5.6 billion annually, according to a 2014 estimate by the Ponemon Institute.
Historically healthcare organizations have invested less in information technology—including security technologies and services—than other industries. But faced with current realities that may be changing, as senior healthcare industry executives and board members become more attuned to the threat and demand more detailed assessments from their CSOs and CISOs. Observes Tom Walsh, a veteran health information security consultant at TW-Security of Overland Park, KS: “It’s finally to the point where information security now is a board item; who’d have thought?”
The Anthem break-in, the biggest such data breach on record, will only reinforce this awareness and holds a variety of lessons for both healthcare providers and insurers. In the wake of the breach, the reaction of healthcare IT and data security professionals from around the country is that in all likelihood it was a series of weaknesses that left Anthem vulnerable to the attack.
“Break-ins occur because of a string of bad decisions—not because of one bad decision.” observes Patrick Wilson, the Chief Information Security Officer at Contra Costa Health Services, which operates a local hospital and more than 40 school-based health clinics throughout Contra Costa County, CA.
In cases similar to Anthem, that string often begins with the decision to allow a data query to run an organization’s entire data set, Wilson says. That means information like name, social security number and personal income can all be obtained through a single query, instead of having to run multiple queries, which would attract more notice. “There’s a tendency to place too much data into a single repository,” Wilson says.
But linking data sets and requiring multiple queries gives rise to another potential vulnerability, according to BestIT’s Mapes. “If a user name or log-in is repeatedly needed to run a file, it is routinely embedded into the code,” he explains. That makes it a relatively simple matter for the hacker to obtain the ID by deconstructing the code.
For the theft to have occurred, the data must not have been unencrypted, maintains former insurance IT executive Michael Boyle, now CEO of Perseus Technical Strategies. “If the data was encrypted at rest, [Anthem] would not have had this issue at all,” he says. “If [someone] hacked into a file, they wouldn’t have been able to do anything with it unless they had the key structures and the decoding software.”
While federal regulations such as HIPPA (the federal Health Insurance Portability and Accountability Act) encourage healthcare companies to encrypt medical records, they are not required by law to do so and often don’t in order to make the records easier for employees and others to access.
Boyle, who was formerly CIO at both Aflac and Allstate Financial, says a failure to frequently update and encrypt passwords may have also contributed to the breach. “It’s easy for someone to make their way into the root structure of UNIX or .NET,” the operating system and software programming framework where the passwords are stored. “They need to make sure all that is encrypted and updated frequently,” he asserts. “I call it good hygiene.”
Unearthing a Hidden Attack
Anthem is given credit for quickly discovering the breach on its own, instead of being alerted to it by a third-party such as a bank or credit-card company, which is a more typical scenario for break-ins of this type.
“Usually, there’s a fairly large gap of time between when the breach occurs and when it’s remediated or even identified,” says CHIME’s Branzell. “The sophistication of these attacks is such that they appear to be a routine job running in the background, giving you no flag or warning that they’ve even occurred. They are not usually identified through internal security processes.”
Sari Greene, managing director at Sage Data Security, a South Portland, ME-based information security consultancy, also gives Anthem high marks for how it has thus far managed the fallout from attack. “If you look at the FAQ website (http://www.anthemfacts.com/faq) they set up, it’s going to be a case study in how to disseminate information to the public,” she says.
Like everything else associated with cyber security, even providing notifications of the breach can be complicated as there is no single standard to follow. A national organization “might be dealing with 46 notification standards across the states,” Greene notes.
Yet even the insurer’s rapid and coordinated response to the attack points to a weakness. The Anthem administrator who identified the breach was able to do so, according to Mapes, because he recognized that his password was being used to run queries that he didn’t initiate.
“For elevated-privilege accounts,” like that of an administrator, Mapes explains, “an additional and verifiable level of authentication should be added.” This, the CSO notes, makes it much easier to monitor and validate certain types of usage such as data queries.
Beyond password monitoring and additional authentication, firewalls can be useful in identifying suspicious behavior. These ubiquitous filters between a business and the global Internet are able to record all the traffic entering and leaving the corporate network, including such details as the date, time, source and destination IP address.
“The depth of the logging you can do just with your firewall is pretty significant,” Sage’s Greene says. “You can see what the communication channels are, the size of the packets, and while we may not be able to see what was in the packet, we can see who the actors are, what the time frames are.”
Viewing the data over different time frames can help detect anomalies indicative of a breach. “Very often incidents are not discrete,” Greene notes, “they are a compilation.” Taken together, event logs in various audit systems can provide indications of a compromise, she explains. “We take these discrete events, and when we add them all up, we understand that something is at risk.”
Ideally, companies should capture logging information in real-time or on a daily basis. Barring that, Greene says they should at least record and preserve the data for possible use as a trail of evidence. Unfortunately, she laments, “Many organizations don’t set their devices to capture that information.”
Companies also make the task of fraud detection more difficult by inadvertently destroying the evidence of a breach, Green says.
“Someone very well-meaning in IT may find a piece of malware and then runs all kinds of scans trying to contain and eradicate it,” she explains. But sometimes this can also destroy valuable evidence. “Knowing how to look for and preserve evidence is extremely important,” the consultant continues.
The Corporate Imperative
Ultimately, however, Greene sees data security not as an IT problem, but rather as a corporate governance responsibility. “When [incidents] like this happen,” she says, “I guarantee you it’s being discussed in the boardroom. It is at Anthem today, but that shouldn’t be the first time it’s discussed.”
Joseph Smith, who retired from his post as CIO of Arkansas Blue Cross and Blue Shield last year, says that while it’s possible a brute force attack could be the cause of the Anthem breach, most CIOs are aware that the most common vector of attack is poor data habits from associates within the company. Training employees to recognize nefarious intentions in an e-mail is a constant challenge for CIOs, as hackers become more sophisticated and associates enter and leave the company.
“It’s always unintentional or innocent, but your biggest risk is your own employees -- the easiest way to penetrate those thick walls is phishing kinds of things.”,” he says. “With Target, the hacker posed as a vendor, someone was duped innocently, and there you go.”
Smith says insurers and other organizations should work together to share the latest information on hacking attempts so industry at large can benefit from the experiences of their peers.
“You could establish some kind of clearing house, when people have events like what’s happened in Anthem and elsewhere, and expose how this was done as much as you can without jeopardizing internal security,” he explains.
And it’s better for companies to do that themselves before regulators get involved, he warns. The National Association of Insurance Commissioners recently established a cybersecurity task force for the insurance industry, and it’s possible that task force will look closely at this event and make recommendations. (A request for comment from the NAIC was not returned in time for publication.)
What Smith fears is that CIOs will move away from best practices around keeping data safe that almost always are better served working with employees to teach them to protect their sensitive
company information.
“You can require huge amounts of money to be spent for [software] and the incremental protection might not be that much more,” Smith says. “Clearly the best defense is a good offense in this case.”
In contrast to Mapes, Smith doesn’t think more encryption is necessarily the answer either, he says. The password system is well-established, and introducing second factors or biometrics into often taxed IT organizations could be more trouble than it’s worth.
No organization is immune to this kind of attack, Smith says, so if one happens, the important part is how the affected company communicates what’s happened to the exposed customers and how they will work to protect them and make them whole.
“You’ve seen the different reactions from some of the companies who have been breached. Some of them have been less than fantastic with it. Others have been very good about communicating,” he says.
Anthem will probably offer some sort of fraud protection to customers, but Smith notes that many of them may already have been involved in one of the other high-profile data breaches and be covered by that already – another case for companies to communicate with each other in the aftermath of leaks.
Investigators say that the breach of as many as 80 million customer and employee records at the company, which provides health insurance coverage to one in nine Americans, bears the hallmarks of Chinese state-sponsored hackers, and that they may have been after personal information such as Social Security numbers, as opposed to financial information like credit card numbers.
“Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised,” said Joseph R. Swedish, Anthem’s president and CEO, in a statement. Inquiries to Anthem and Mandiant, the cybersecurity vendor it contracted to help clean up the mess, were not returned in time for publication.
Industry experts say that efforts to steal data records from insurers and other healthcare providers, already an onslaught, will only get more intense in the coming year. According to Russ Branzell, president and CEO of the College of Healthcare Information Management Executives (CHIME), an association of healthcare CIOs, there are small community hospitals that are currently facing between 20,000 and 30,000 attempts a week to breach their security measures and compromise their networks.
The motivation for these attacks is primarily economic. On the black market, a pilfered credit card file can be sold for between 10 cents and 25 cents each, explains James Mapes, the Chief Security Officer at IT consultancy BestIT. But a stolen medical record, which contains more information, has a much longer life span and can be used to perpetrate a variety of frauds including identity theft, sells for anywhere between $100 and $300 a record.
This was reflected in a 2014 warning from the FBI’s Cyber Division that healthcare systems were at increased risk for cyber intrusions “due to mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market.”
The warning was prescient, as 2014 became a landmark year for health data intrusions, with healthcare organizations accounting for about 42 percent of all major data breaches reported in the U.S. last year, according to the Identity Theft Resource Center. These breaches are costing the healthcare industry as much as $5.6 billion annually, according to a 2014 estimate by the Ponemon Institute.
Historically healthcare organizations have invested less in information technology—including security technologies and services—than other industries. But faced with current realities that may be changing, as senior healthcare industry executives and board members become more attuned to the threat and demand more detailed assessments from their CSOs and CISOs. Observes Tom Walsh, a veteran health information security consultant at TW-Security of Overland Park, KS: “It’s finally to the point where information security now is a board item; who’d have thought?”
The Anthem break-in, the biggest such data breach on record, will only reinforce this awareness and holds a variety of lessons for both healthcare providers and insurers. In the wake of the breach, the reaction of healthcare IT and data security professionals from around the country is that in all likelihood it was a series of weaknesses that left Anthem vulnerable to the attack.
“Break-ins occur because of a string of bad decisions—not because of one bad decision.” observes Patrick Wilson, the Chief Information Security Officer at Contra Costa Health Services, which operates a local hospital and more than 40 school-based health clinics throughout Contra Costa County, CA.
In cases similar to Anthem, that string often begins with the decision to allow a data query to run an organization’s entire data set, Wilson says. That means information like name, social security number and personal income can all be obtained through a single query, instead of having to run multiple queries, which would attract more notice. “There’s a tendency to place too much data into a single repository,” Wilson says.
But linking data sets and requiring multiple queries gives rise to another potential vulnerability, according to BestIT’s Mapes. “If a user name or log-in is repeatedly needed to run a file, it is routinely embedded into the code,” he explains. That makes it a relatively simple matter for the hacker to obtain the ID by deconstructing the code.
For the theft to have occurred, the data must not have been unencrypted, maintains former insurance IT executive Michael Boyle, now CEO of Perseus Technical Strategies. “If the data was encrypted at rest, [Anthem] would not have had this issue at all,” he says. “If [someone] hacked into a file, they wouldn’t have been able to do anything with it unless they had the key structures and the decoding software.”
While federal regulations such as HIPPA (the federal Health Insurance Portability and Accountability Act) encourage healthcare companies to encrypt medical records, they are not required by law to do so and often don’t in order to make the records easier for employees and others to access.
Boyle, who was formerly CIO at both Aflac and Allstate Financial, says a failure to frequently update and encrypt passwords may have also contributed to the breach. “It’s easy for someone to make their way into the root structure of UNIX or .NET,” the operating system and software programming framework where the passwords are stored. “They need to make sure all that is encrypted and updated frequently,” he asserts. “I call it good hygiene.”
Unearthing a Hidden Attack
Anthem is given credit for quickly discovering the breach on its own, instead of being alerted to it by a third-party such as a bank or credit-card company, which is a more typical scenario for break-ins of this type.
“Usually, there’s a fairly large gap of time between when the breach occurs and when it’s remediated or even identified,” says CHIME’s Branzell. “The sophistication of these attacks is such that they appear to be a routine job running in the background, giving you no flag or warning that they’ve even occurred. They are not usually identified through internal security processes.”
Sari Greene, managing director at Sage Data Security, a South Portland, ME-based information security consultancy, also gives Anthem high marks for how it has thus far managed the fallout from attack. “If you look at the FAQ website (http://www.anthemfacts.com/faq) they set up, it’s going to be a case study in how to disseminate information to the public,” she says.
Like everything else associated with cyber security, even providing notifications of the breach can be complicated as there is no single standard to follow. A national organization “might be dealing with 46 notification standards across the states,” Greene notes.
Yet even the insurer’s rapid and coordinated response to the attack points to a weakness. The Anthem administrator who identified the breach was able to do so, according to Mapes, because he recognized that his password was being used to run queries that he didn’t initiate.
“For elevated-privilege accounts,” like that of an administrator, Mapes explains, “an additional and verifiable level of authentication should be added.” This, the CSO notes, makes it much easier to monitor and validate certain types of usage such as data queries.
Beyond password monitoring and additional authentication, firewalls can be useful in identifying suspicious behavior. These ubiquitous filters between a business and the global Internet are able to record all the traffic entering and leaving the corporate network, including such details as the date, time, source and destination IP address.
“The depth of the logging you can do just with your firewall is pretty significant,” Sage’s Greene says. “You can see what the communication channels are, the size of the packets, and while we may not be able to see what was in the packet, we can see who the actors are, what the time frames are.”
Viewing the data over different time frames can help detect anomalies indicative of a breach. “Very often incidents are not discrete,” Greene notes, “they are a compilation.” Taken together, event logs in various audit systems can provide indications of a compromise, she explains. “We take these discrete events, and when we add them all up, we understand that something is at risk.”
Ideally, companies should capture logging information in real-time or on a daily basis. Barring that, Greene says they should at least record and preserve the data for possible use as a trail of evidence. Unfortunately, she laments, “Many organizations don’t set their devices to capture that information.”
Companies also make the task of fraud detection more difficult by inadvertently destroying the evidence of a breach, Green says.
“Someone very well-meaning in IT may find a piece of malware and then runs all kinds of scans trying to contain and eradicate it,” she explains. But sometimes this can also destroy valuable evidence. “Knowing how to look for and preserve evidence is extremely important,” the consultant continues.
The Corporate Imperative
Ultimately, however, Greene sees data security not as an IT problem, but rather as a corporate governance responsibility. “When [incidents] like this happen,” she says, “I guarantee you it’s being discussed in the boardroom. It is at Anthem today, but that shouldn’t be the first time it’s discussed.”
Joseph Smith, who retired from his post as CIO of Arkansas Blue Cross and Blue Shield last year, says that while it’s possible a brute force attack could be the cause of the Anthem breach, most CIOs are aware that the most common vector of attack is poor data habits from associates within the company. Training employees to recognize nefarious intentions in an e-mail is a constant challenge for CIOs, as hackers become more sophisticated and associates enter and leave the company.
“It’s always unintentional or innocent, but your biggest risk is your own employees -- the easiest way to penetrate those thick walls is phishing kinds of things.”,” he says. “With Target, the hacker posed as a vendor, someone was duped innocently, and there you go.”
Smith says insurers and other organizations should work together to share the latest information on hacking attempts so industry at large can benefit from the experiences of their peers.
“You could establish some kind of clearing house, when people have events like what’s happened in Anthem and elsewhere, and expose how this was done as much as you can without jeopardizing internal security,” he explains.
And it’s better for companies to do that themselves before regulators get involved, he warns. The National Association of Insurance Commissioners recently established a cybersecurity task force for the insurance industry, and it’s possible that task force will look closely at this event and make recommendations. (A request for comment from the NAIC was not returned in time for publication.)
What Smith fears is that CIOs will move away from best practices around keeping data safe that almost always are better served working with employees to teach them to protect their sensitive
company information.
“You can require huge amounts of money to be spent for [software] and the incremental protection might not be that much more,” Smith says. “Clearly the best defense is a good offense in this case.”
In contrast to Mapes, Smith doesn’t think more encryption is necessarily the answer either, he says. The password system is well-established, and introducing second factors or biometrics into often taxed IT organizations could be more trouble than it’s worth.
No organization is immune to this kind of attack, Smith says, so if one happens, the important part is how the affected company communicates what’s happened to the exposed customers and how they will work to protect them and make them whole.
“You’ve seen the different reactions from some of the companies who have been breached. Some of them have been less than fantastic with it. Others have been very good about communicating,” he says.
Anthem will probably offer some sort of fraud protection to customers, but Smith notes that many of them may already have been involved in one of the other high-profile data breaches and be covered by that already – another case for companies to communicate with each other in the aftermath of leaks.
More for you
Loading data for hdm_tax_topic #care-team-experience...