Following the cyberattack that affected 80 million at Anthem last week, security experts weighed in with Healthcare Dive to offer their input on what this means for the insurance industry and what other organizations can do to reduce their vulnerability.
Why healthcare records?
Healthcare records are a perfect resource for identity theft, and that makes them extremely valuable.
Carl Wright, general manager of TrapX, says healthcare records hold up to ten times more value on the black market than simple credit card numbers. "Unlike a credit card that can be quickly canceled and reissued, medical heath records contain social security numbers, personal addresses, medical conditions and contact information on other family members," Wright says. "This is information that can be used to steal someone's entire identity."
According to Kevin Duggan, CEO of Camouflage Software, "At a dollar a record multiplied by a million-plus records, that's quite the payday for a thief."
It's also possible that healthcare records could be targeted for the sake of "ransoming data," suggests Tom DeSot, CIO for Digital Defense.
Other healthcare organizations could be at risk
This form of cyberattack has been seen before, as Rich Reybock, CTO of Vorstack, tells Healthcare Dive. "The malware used in this attack has been used in other attacks so one should not assume this was isolated and targeted specifically at Anthem," he says.
Just as the whole retail sector suffers when a single firm is breached, so will healthcare—but the consequences may be greater, Reybock suggests. "The constant threat of more regulation beyond HIPAA due to continuing exposures creates added costs and increased difficulties to running a secure health organization," he says.
Another consideration is what hackers could potentially do if they had an interest other than data theft, notes Jeff Williams, CTO of Contrast Security.
"To me, the important thing is that for some period of time, hackers were in control of Anthem," Williams says. "They could have corrupted healthcare records, or deleted case history, disrupted payments, or interfered with drug prescription approvals. They could have gotten people killed."
Could Anthem's breach have been prevented?
The specific details of the investigation have not been released. However, experts certainly have their opinions, and while much of the public debate swirls around the apparent lack of data encryption, our sources advocate a variety of other forms of security.
"I'm getting tired of the 'very sophisticated' refrain every time someone gets hacked," Williams says. He suggests that companies make it sound as if their hackers' skills were extraordinary, when in fact, most cyberattacks aren't very sophisticated. "The reality is that most organizations haven't done nearly enough to ensure that their systems don't have simple, obvious vulnerabilities," he says.
What can healthcare organizations do to reduce their vulnerability?
Security strategies can take a variety of forms, and different firms present different philosophies on how to stay a step ahead of the threat.
Wright is a proponent of deception-based technology, which uses fake computers and fake data to trick hackers into believing they've accessed a corporate asset, when in reality, they've been lured far from it. "It's time for corporations and government entities to proactively deceive their adversaries by wasting the bad actors' time and resources, while at the same time significantly enhancing breach detection capabilities at an enterprise scale," he says.
Duggan says the most successful solution he sees many healthcare and insurance carriers starting to deploy is technology that renders data useless if stolen, such as data masking or anonymization. "In short, if data is stolen, masked data is useless to a thief because it is out of context with no way to utilize it outside of the environment," Duggan says. He adds that companies using data masking don't have to disclose breaches because the private data is unusable by thieves.
Here are some basic guidelines on what any data security strategy should include, according to Carl Leonard, principal security analyst for Websense.
What health organizations need to look out for:
- Suspicious behavior within their network
- Lures sent to their employees
- Data leaving their network
- Evidence of stolen data posted online
- Fraudulent claims made by their own "customers"
Actions organizations can take to reduce their vulnerability:
- Implement data theft prevention solutions.
- Examine attacks across the entire kill chain.
- Raise the security IQ within their employee-base.
- Perform penetration tests on their website, their databases and their suppliers. Then act on the results to improve security.
One thing everyone seems to agree upon: if a breach does happen, companies are right to get out in front of it, and to be as proactive and honest with their customers as possible.