The recent breach at Anthem was the first significant breach in what looks to be a long year for the healthcare industry. And it will happen again, as signs point to 2015 being dubbed the year of the healthcare breach. The question is not if a breach will happen or even how to prevent a breach from happening – the question every healthcare organization should ask itself is when the next breach will occur (or whether it already has) and how to prepare for it.
The Anthem attack
How the Anthem attackers got in is still under investigation, but it seems likely that the attackers gained a foothold into the organization via malware and/or a phishing campaign targeting individuals with high-level access. Once one endpoint is compromised, that endpoint can be used to start performing reconnaissance and digging deeper into the network. Recent reports have identified a state-sponsored Chinese cyber espionage group as the culprits, and they may have entered the Anthem network as early as April 2014, nine months before Anthem discovered the intrusion.
Anthem had close to 100 million Personally Identifiable Information (PII) records stolen: name, address, email address, social security number, and date of birth. Essentially, the attackers gained access to everything except for credit card and medical information. Given that PII – to craft a false identity – can sell for around $20 on the black market, the Anthem hack could bring a hefty profit. It has definitely incurred a large price tag: the breach is estimated to cost Anthem upwards of $100 million.
What the Anthem attack means for the healthcare industry
Simply put, healthcare organizations keep and routinely access a lot of information. The challenge for healthcare organizations is to architect networks in a way that is both secure and provides availability of the data. It’s not enough to just house the data – you must be able to access it quickly. A patient’s life may depend on it.
Many healthcare organizations are still operating in flat networks with no network segmentation, which means that user systems and systems that process patient records all reside in the same space. So if a nurse’s workstation is compromised, an attacker is just one step away from getting his hands on patient records. Unfortunately, healthcare organizations are just too tempting a target.
The retail industry has weathered several high-profile breaches, including T.J. Maxx in 2007 (94 million records), Heartland Payment Systems in 2008 (130 million records), Target Brands, Inc. in 2013 (110 million records), and Home Depot in 2014 (109 million records). The Payment Card Industry Data Security Standards (PCI DSS) have prompted the industry to adopt deep and mature security programs to protect credit card information. While the HIPAA and HITECH acts have pushed the healthcare industry forward in terms of maturing their security programs, there is still much work to be done – the Anthem breach may be the push the federal government needs to begin more granularly regulating PII and electronic Protected Health Information (ePHI).
How to prepare
The first step is to develop a risk management program. Carry out a complete inventory of systems that have patient information, conduct a risk analysis to look at threats and vulnerabilities, and perform technical assessments against those systems to ensure there are no available avenues of attack. Second, develop an incident response plan. Do you know what to do if you are breached? Do you have a plan for dealing with a malware outbreak? A denial of service attack? What are your monitoring tools and practices like? Do you know if data is being exfiltrated out of your network? The more you have documented, the more procedurally mature your program is, the easier it’s going to be for you to quickly identify, stop, and recover from a compromise. If you can successfully detect and respond to a breach in a short amount of time, you’re more likely to recover and be able to sustain your reputation and day-to-day business operations.
To learn more about Accudata’s risk assessment services, including HIPAA Gap Assessments, penetration testing, and comprehensive risk assessments, contact Brian DiPaolo, Assessment & Compliance Practice Director, at firstname.lastname@example.org.
Ismael Alfaro | Consultant