The recently discovered hack of Excellus Blue Cross and Blue Shield of New York, which initially began on Dec. 23, 2013, begs the question: How and why can a breach go undiscovered for so long?
Several security experts have weighed in with Healthcare Dive on how hackers stay under the radar and recommended strategies to avoid such a lengthy breach.
Fortscale CEO Idan Tendler, former commander of the 8200, the cyberwarfare division of the Israeli Defense Forces:
Tendler says the Excellus breach is a textbook case study in how hackers go undetected for long periods of time. He says their ability to go unnoticed and gain unauthorized access to companys' IT systems and the personal information of potentially thousands of people is a scenario that has played out in breach-after-breach, underscoring the need for organizations to constantly monitor their networks and be proactive in detecting and responding to suspicious user activity.
“This is very common, particularly in the high-profile breaches we’ve seen with other healthcare organizations, like Anthem and UCLA Health,” Tendler says. User log-in credentials are the main vehicle of attack in more than 80% of these attacks, he says, and once a hacker obtains a log-in, “it’s easy for them to masquerade as a legitimate employee and slowly siphon away sensitive data." This type of behavior is incredibly difficult to detect and requires advanced analytics that focus on user behavior to mitigate.
Asked if a years-long breach suggests a higher level of fault on the part of the healthcare organization, Tendler says, “While these attacks are highly sophisticated, healthcare organizations definitely share in the responsibility, especially when there are tools available that address the lack of visibility into their networks.”
He expects we’ll be seeing more evidence of old or ongoing breaches turn up as organizations start taking a better look.
“Organizations need to change their thinking about enterprise security and embrace a mindset of rapid detection and response,” he says. He recommends organizations assume there is already a threat operating within their networks and implement continuous monitoring of user access. “It’s just a matter of whether you know they’re in there or not,” he says.
Lysa Myers, security researcher at ESET:
Myers notes part of an attacker's "job" is to be stealthy and stay under the radar for as long as possible in order to make more money. She adds it's hard to estimate how common multi-year hacks are, given that many may yet be discovered. “There is a popular saying that you should plan your security as if you have already been breached,” she says. “As several high-profile breaches have been discovered while implementing improvements to organizations' security, this advice is incredibly apt and timely.”
Myers adds while breaches falling under the radar is understandable and common, healthcare organizations should be getting sufficiently aware and motivated to stay ahead of hackers.
“After the Anthem and Premera breaches and now the one at Excellus, it was clear that the risk of a breach to healthcare organizations is significant,” she says. “Hopefully this is motivating businesses of all sizes to take security much more seriously. And it's likely that a lot of businesses will soon uncover breaches as they upgrade their defenses.”
She notes healthcare organizations have particular challenges when it comes to securing things in a way that makes them accessible quickly, as well as dealing with machines running outdated and unsupported operating systems.
“Healthcare organizations need to be more deliberate about planning their defenses, and this means being diligent about performing risk assessments,” she says. This should ideally be done on an ongoing basis, rather than just periodically, she says, so new assets can promptly be worked into the plans. “This can help make sure that money is spent wisely and all assets and vulnerabilities are covered adequately,” she says.
Myers’ colleague, ESET security researcher Cameron Camp, adds when it comes to medical equipment expected to remain in service for decades, it’s a major challenge to keep the operating system and related software current. “It makes sense to create sandboxes around these environments so they have limited attack surface,” he says.
Camp shares an anecdote in which one researcher, after coordinating responsible disclosure with a health organization, started poking around the facility and was able to access numerous machines that shouldn't be accessible. The researcher concluded they were wide open to attack, because their technology was deployed often for ease-of-use and accessibility, rather than security as a primary imperative.
CTO Tim Liu of Hillstone Networks, which creates firewalls to detect malicious insiders:
Liu says hackers are harnessing numerous advanced strategies to bypass traditional security solutions, “including multi-vector attacks that exploit multiple security vulnerabilities, metamorphic and polymorphic malware that changes itself continually, and zero-day attacks that target newly discovered security flaws.”
He adds that according to a 2014 Verizon Data Breach Investigations report, 66% of security breaches take organizations months or longer to discover.
“The longer the breach, the more damage it entails to both the customers as well as the business - from a financial as well as a reputation perspective,” he says.
The responsibility lies with the business to continuously optimize its security, he says, and businesses should be engaged in the full life cycle associated with breaches, from pre-breach security actions to post-breach mitigation and security enforcement.
Liu expects we will continue to see breaches surfacing in the coming year, and says that while it’s very hard for companies to guarantee their networks are never breached, it helps to cut down the time to detection to hours or even to a day, in order to cut down the damage hackers can cause.
“Adoption of post-breach detection coincides with risk-based security methodology that is gaining acceptance, where risky issues were identified and control and mitigation were performed in real-time,” Liu says. He says this will become increasingly important as companies grow bigger cloud infrastructures and face new vulnerabilities that require risk-based security and self-protection.