Anthem and Premera data breaches put healthcare industry on notice

Recent headlines have put the healthcare industry in the spotlight, and have many asking if current security best practices are enough.

But this is not a new story. It’s just the latest one. Last month, health insurance provider Anthem Inc. found its name splashed across news headlines after discovering cyber hackers stole information on tens of millions of Anthem customers.

The data breach ranks among the largest in corporate history, with stolen information including customers' names, birth dates, social security numbers, street addresses, email addresses and employment details (including income).

It is yet another example of a large scale breach resulting from the inappropriate use of privileged credentials, also known as the insider credentials threat, and once again demonstrates the challenges of using traditional security solutions to detect and prevent these types of sophisticated attacks.

And just this week it was reported that another member of the healthcare industry experienced a significant breach. Premera Blue Cross has confirmed that a breach exposed the private information of up to 11 million customers including names, date of birth, email address, home address, telephone number, member identification number, bank account information, claims information and clinical information.

Premera discovered the attack on 29 January, 2015, but their investigations indicated that the initial attack occurred on 5 May, 2014.

Unfortunately, the lesson learned from these incidents is an unfair one: It only takes an attacker one successful attempt to cause significant damage, yet organisations are on the hook to try to prevent attacks 100 per cent of the time. This is simply not a feasible approach. So the real lesson here for the healthcare industry, and any other industry, is that the attack will occur and you must immediately evaluate and improve your ability to detect activity on your network that’s anomalous or suspicious.

In Anthem’s case, they detected the breach itself, and that's not the norm. Typically a company learns about a breach from a third party. This attack was discovered when a database administrator noticed a query running with his account that he didn't initiate. So let’s not beat up on Anthem because they did find this themselves, and that is a real credit to the training and awareness of its personnel.

However, it did take at least six weeks for the firm to discover that its security had been breached and there is no real way of knowing right now how long the infiltrators were operating on their network. Anthem calls the breach the result of a "very sophisticated external cyber attack," and relayed that law enforcement agencies are still working to identify the perpetrator.

According to information shared publicly, the attackers had legitimate credentials to the database and used them to access the data. That's an indication that we all have to carefully monitor the use of credentials. It's likely the credentials could have been strong, and while one could argue stronger measures in place like two-factor authentication may have prevented this particular incident, it only takes an attacker one successful attempt to penetrate the network.

We don’t know much about how the Premera attack occurred at this time, but the infosec community has identified similarities between the Premera attack and the Anthem attack. The conclusion that cannot be denied at this time, however, is that the healthcare industry is a target – attacks of this type will likely continue, as will the breaches.

Healthcare organisations must ensure a balance between preventative and detection controls. If Anthem had the capability to detect anomalous queries running sooner, they likely could have prevented the breach, or at least lessened the scope of the damage. This requires the ability to detect that something out of the ordinary has occurred. For example, alert when a query is initiated and running when an employee's not at work.

Analytics can be used to help identify deviations from typical system network connectivity through the collection and analysis of network flow data resulting from communications across the network and between different systems and applications, including external cloud-based services, and provide real time alerts when they detect deviations from normal or typical network behavior.

So while it may look like an overwhelming task, I’d like to suggest a set of best practices that any size healthcare payer or provider can implement to improve its security posture:

  • Initiate a risk assessment: Start by asking several questions, and you must be brutally honest and self-critical with the answers:
  1. Are we able to detect inappropriate use of authorised credentials (the insider credential threat)?
  1. Can we detect the loss of a credential?
  1. What about activities of an employee authorised to use credentials who may be acting maliciously?
  1. How about the employee who may be acting inappropriately, but not maliciously?
  1. How can we detect suspicious activities sooner?
  • Recognise this is not just a technology issue: A company needs to regularly train all employees and have the processes in place to help identify and remediate threats quickly.
  • Implement an asset management system: An absolute necessity in order to create all possible scenarios to determine your ability to detect and help prevent breaches.

In today’s business environment where employees are increasingly mobile and accessing information from multiple devices and information is stored inside and outside the company firewall, knowing what you have, where it resides and the sensitivity of that information is a must.

Andrew Wild, CISO at Lancope.