The security breach that we feared finally occurred. The second-largest healthcare provider, Anthem Inc., was breached, exposing as many as 80 million healthcare records to cyber offender. This event is likely to be the largest healthcare breach to date.
Frost & Sullivan’s recent “Top Trends for 2015: Healthcare is Headed Down a New Road with New Rules,” webinar predicted that, “In 2015 a major security breach on the scale of high-profile attacks that impacted Sony and Target TGT -0.67%, will be incurred by a national healthcare network.” Unfortunately, this is now a reality.
Why is healthcare such a target? Frankly, cyber miscreants love healthcare. Healthcare is like fine dining for those that sell such information on the black market. There are three primary factors:
Quantity of information—Think of the 15 pages of forms that gets filled out when visiting a doctor. No other vertical has that quantity of data.
Value of information—Not only is there a lot of data, but it is the best stuff. Social security numbers, payment information, bank accounts, addresses and troves of personally identifiable information (PII).
Timely—Our medical and financial information is guaranteed to be updated at least annually with the traditional open enrollment period with employers. Additionally, healthcare information is constantly being updated with every physician’s visit. No other vertical updates client data with such frequency.
As the criminal element is turning its attention to healthcare, governments are encouraging the transition from paper records to electronic medical records (EMR). As part of converting to electronic databases by 2016, the Centers for Medicare & Medicaid Services have set various standards promoting meaningful and accurate use of healthcare information captured by various healthcare IT platforms in the United States. Similarly, European Union member states have adopted eHealth EHTH -3.58% as part of their national strategies, as indicated by the €22 million European Patient Smart Open Services Project (epSOS) among the 12 member states.
The stakes are high to protect these records for healthcare providers. Ignoring the costs of remediating breaches and the impact on a brand, can result in sever breach penalties. The HIPAA Omnibus Rule of 2013 changed the attitudes toward healthcare record-keeping. Until the rules revisions of 2013, the most an entity could be fined for security breaches was $25,000 in a calendar year. The US Department of Health and Human Services (HHS) has the authority to levy fines based upon breaches, and the penalties are significantly more punitive (see below).
Exhibit 1: Categories of Violations and Respective Penalty Amounts Available
|Violation Category-Section 1176 (a)(1)||Each Violation||All such violations of an identical provision in a calendar year|
|(A) Did Not Know||$100–$50,000||$1,500,000|
|(B) Reasonable Cause||$1,000–$50,000||$1,500,000|
|(C) (i)Willful Neglect-Corrected||$10,000–$50,000||$1,500,000|
|(D)(ii)Willful Neglect-Not Corrected||$50,000||$1,500,000|
Source: Omnibus Final Rule – Federal Register Vol.78, No.17, Department of Health and Human Services, and Frost & Sullivan
Language in Health Information Technology for Economic and Clinical Health (HITECH) suggests that larger healthcare providers like Cigna and Blue Cross assume indemnity for data and patient records coming from their subcontractors. Consequently, the large healthcare providers have the right to audit their subcontractors, which includes smaller practices like radiologists and ultrasound technicians.
The adversary in this fight is not to be taken lightly. Anthem’s CEO Joseph Swedish stated that the health insurer was the “target of a very sophisticated external cyber attack.” Mandiant, the incident response team utilized by Anthem Inc., stated that the breach was a “sophisticated” cyber attack using custom backdoors, a key indicator of an “advanced attack.” These advanced attacks are the result of lessons learned by malicious actors from nation-state cyber attacks, such as GhostNet and Stuxnet and can be characterized as follows:
- Utilizes a type of advanced “zero day” malware. Zero day malware means that it has never been seen by a security professional
- Evades signature-based detection techniques that are used in traditional anti-virus software
- Targets or focuses on specific individuals or organizations
- Aims to achieve a monetary or intellectual property gain, being run like a business with a return on investment (ROI) objective
- Looks to penetrate and persist in an environment (network or endpoint)
As details are revealed, the industry will continue to learn more. Initial reports suggest that Anthem should be applauded for the way that it is handling the breach. Anthem had detected the attack itself by doing intense “deep listening” of network activities, aggressively responding to the breach and proactively reporting it.
Anthem is acting as a responsible entity should, being preemptive and not reactive. Clearly, Anthem did not plan to be breached; however, it had a plan prepared regarding how to react if it was breached, proactively responding to mitigate “the blast radius” and notifying the appropriate entities to do the same.
Details of the breach will be released over the coming days, weeks and months. Many lessons will be gleaned from misfortune, from which there will be great benefit. In the interim, two significant lessons present themselves.
Respect thy enemy. The adversary that is faced is not some random teenager, fueled by chocolate doughnuts and energy drinks and looking to make a name for himself. The criminal element is intelligent, educated, sophisticated and organized. Remember the words of the Anthem CEO as they were the “target of a very sophisticated external cyber attack.” If Anthem can be breached, your organization can as well. Thus, confront thy cyber enemy with the respect they deserve.
Have a plan. No one plans to be breached, but everyone needs a meticulous plan in place on how to respond to a breach. Anthem did not plan to be breached; however, it had a plan prepared regarding how to react if it was breached. Anthem’s execution in the wake of the breach is to be commended, minimizing the blast radius and non-verbally communicating organizational competence in handling the situation. Should your organization be breached, would your execution be as proactive and as measured as Anthem? It is an important question to ask.
This article was written with contribution from Frank Dickson, Research Manager, Information and Network Security with Frost & Sullivan’s global Information & Communication Technologies practice.