Lessons from a massive attack


Lessons from a massive attack

In early February US health insurer Anthem announced that it has been the victim of a huge hacking attack, with possibly millions of people’s personal information compromised. What lessons can healthcare risk managers take from this breach? HRMR investigates.

The extensive hacking of health insurer Anthem earlier this month highlighted just how vulnerable healthcare providers are to cyber attacks. HIPAA has already made sure that data security is never far from risk managers’ minds, but the Anthem crisis is a reminder that patients’ medical records are hugely attractive to hackers, who can sell the information for significant amounts of money.

Over the past few years data breach and identity protection solutions provider CSID has seen a huge increase in the number of breaches involving medical identities—and it says this is largely driven by the value of a medical identity.

According to the World Privacy Forum, a medical identity, including name, address, social security and health ID numbers—all information that was a part of Anthem’s breach—can sell for around $50 on the online black market. By comparison, a social security number currently sells for $1 and an active credit card can sell for $3.

“Medical identity theft is a lucrative source of income for identity thieves and unfortunately, the Anthem breach comes not as a surprise, but rather a confirmation of the continuing expansion of online attacks and growing focus on medical IDs,” said CSID in a statement.

A growing threat

Gregory Fliszar, a member of law firm Cozen O’Connor, agrees.

“Until recently, the majority of breaches in the healthcare industry were due to lost or stolen laptops and other personal electronic devices,” he says. “It is now clear that the healthcare industry is a prime target of hackers and other cybercriminals.”

He says that the Anthem hacking, combined with the Community Health Systems breach announced in August 2014, where hackers were able to get data on about 4.5 million patients, demonstrates that the healthcare industry is indeed a major focus of cybercriminals.  

“A complete health record is worth at least 10 times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims,” Fliszar says.

The precise number of people affected by the Anthem breach is yet to be announced, but the data taken is believed to include names, birthdays, social security numbers, street addresses, email addresses and employment information, and there has been speculation that the number of people affected runs to 80 million.

“This incident has barely even started,” says Brian Lapidus, managing director for Kroll and leader of the Identity Theft and Breach Notification practice. “Anthem has yet to announce whether the breach population is the full 80 million, or whether the population has shrunk due to the findings of the forensic investigation.

“While there has been much speculation in the media only a small amount has been confirmed yet by Anthem. It’s likely that in the coming days there will be much more information provided so that a robust ‘lessons learned’ can be truly developed.”

Quelling the panic

One lesson is already clear, however: Lapidus says healthcare entities across the country should take note of the rampant speculation that has occurred in such a short time since the pre-notification. Anthem currently faces a paradox: on the one hand there is the impending wrath of consumers and regulatory agencies if they fail to notify in a timely manner, yet if they do not have details because of an ongoing investigation, it results in the rumors, speculation and scams that have emerged as the nation waits further word from Anthem.

These include media outlets reporting the 80 million people impacted as fact (“The largest healthcare breach in history”) when the forensic investigation hasn’t even been completed; the filing of the first class action lawsuits, even though it is not yet confirmed who was actually affected; pressure from state attorneys general asking for further clarification and remediation details; and general concern among consumers.

“With the 80 million population floating around, people are making assumptions about their status as part of the event,” he says. “To quell the panic, some security experts and even state agencies have suggested consumers file credit freezes (at their own expense) to protect themselves. This is probably an unnecessary step until a consumer knows with certainty that he or she was affected; however, keeping an eye on credit reports, monthly bank statements, applications for credit that one did not initiate, and general best practice identity management steps would not be a bad idea.”

The state of play

The Anthem hacking raises the question of how well protected patient data actually is within the US healthcare system. The healthcare industry is broad in scope, ranging from small physician offices to large health systems and health insurers, so the security protections across healthcare organizations are likely to vary, says Fliszar. 

“However, in general, cybersecurity protections currently in place in the healthcare industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as ‘low hanging fruit’.”

Lapidus says that the level of protection varies from organization to organization, but that most healthcare organizations do take data privacy and security very seriously, and with good reason.

“According to Kroll’s data based on cases we worked in 2014, 49 percent of our data breach clients were in the healthcare industry. Further, a third of those breaches were caused by malicious hacks, while 53 percent were due to unauthorized access, both accidental and intentional,” he says.

He adds that it is important never to fall into a false sense of security, even if you believe your organization is well protected.

“Healthcare has always been a target for malicious actors, because of the rich data that it holds. For this reason, a healthcare entity has to be ready to respond to a data breach, regardless of its security posture. It is an unfortunate fact that you can do everything right in terms of data security, and still have a data breach.”

Mitigating the risk

How can healthcare organizations be better protected against cyber risks? Fliszar shares Lapidus’ view that a watchful, defensive posture needs to be maintained at all times.

“All organizations handling health information must be proactive in regard to data security to make sure they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization,” he says.

“This includes, at a minimum, conducting thorough risk assessments and appropriately updating the same, implementing and updating robust HIPAA and data security policies and procedures including the use of encryption, and conducting ongoing training and awareness programs with all management and staff.  Moreover, emphasis should be placed on the risks, use and safeguards of portable electronic devices, which are frequently at the center of a data breach.”

Lapidus recommends reviewing your organization’s incident response plan and making sure you have vendors in place to provide needed services such as forensic investigation, mailing of notification letters, call center assistance, and providing consumer remediation services.

It is wise to review your communications plan to align with timely breach notification to reduce the type of panic and speculation that we’ve seen in the wake of this particular breach.

“Every breach has an impact on employee information, so be prepared to respond to internal employee concerns,” he adds. “This is somewhat different from your customer communications plan and the company should consider the fact that employees will have different questions or concerns.

“You should also review your contracts with your business associates to understand who is required to provide notification under the terms of the contract. This has come up with the Anthem breach as many companies contracted with Anthem to provide benefits are wondering if they should be sending notices.”

The bottom line is that failure to have adequate cybersecurity programs in place can have a hugely detrimental effect on any organization that experiences a data breach. 

“In addition to taking a hit to its reputation and the costs of breach notification, an organization that has a breach of patient information can be subject to government investigations, penalties and corrective action plans as well as private lawsuits,” says Fliszar.

This ever-evolving risk is clearly not one to take lightly.  

Anthem, Insurance, Risk Management, US, HIPAA, IT and Data Security, CSID