The cyberattack on Anthem, one of the nation’s largest health insurers, points to the vulnerability of health care companies, which security specialists say are behind other industries in protecting sensitive personal information.
Experts said the information was vulnerable because Anthem did not take steps, like protecting the data in its computers though encryption, in the same way it protected medical information that was sent or shared outside of the database.
The hackers gained access to up to 80 million records that included Social Security numbers, birthdays, addresses, email and employment information and income data for customers and employees, including its own chief executive.
Anthem officials say they do not know who is behind the attack, but several security consultants have noted that in the past Chinese hackers have shown an interest in going after health care companies. A securities industry consultant who requested anonymity because the investigation was continuing said there were suspicions the hackers might have been working with the backing of a foreign government, or with people with ties to a foreign government.
The hackers are thought to have infiltrated Anthem’s networks by using a sophisticated malicious software program that gave them access to the login credential of an Anthem employee.
”This is one of the worst breaches I have ever seen,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group. ”These people knew what they were doing and recognized there was a treasure trove here, and I think they are going to use it to engage in very sophisticated kinds of identity theft.”
Anthem officials became aware of the breach when one of their senior administrators noticed someone was using his identity to request information from the database. The request — or query — by the hackers appears so far to have been for financial information only. Anthem officials say that medical information in insurance claims shared with doctors and hospitals — like whether a customer was treated for substance abuse, for example — does not appear to have been taken in the attack.
”We’re positive that the rogue query did not have medical data in it,” said Thomas Miller, Anthem’s chief information officer. The people who gained access to the database ”consciously selected what they selected.”
The insurer, along with federal investigators and security experts from FireEye’s Mandiant division, is now trying to determine whether there were other requests that it did not detect, a process that could take several more weeks.
Mr. Miller said Anthem and other health care companies had become increasingly aware of the criminal value of the information they have, in light of the large cyberattacks against financial service companies like JPMorgan Chase or retailers like Target.
”People have known for a long time financial information has its security needs,” he said. Anthem, he said, had doubled its investment in this area over the last four years and was actively considering encrypting its internal database as well as taking other steps to improve its security.
Anthem operates health plans under numerous brands, including Anthem Blue Cross, Anthem Blue Cross/Blue Shield, Blue Cross and Blue Shield of Georgia and Empire Blue Cross Blue Shield.
While experts like Mr. Stephens said the hackers might not have been particularly interested in the medical information available in Anthem’s database, the company’s decision to make the breach public quickly means that it is early in the investigation into exactly what happened and what information may have been compromised. ”You can spend months doing the forensics,” said Fred Cate, a law professor and cybersecurity expert at Indiana University.
While he praised Anthem for taking the ”unusual and quite laudable step in coming forward quite quickly,” he cautioned that company officials might not know the scope of the attack at this point.
Still, Mr. Cate said the medical information was not likely to result in the public unveiling of sensitive medical information, unlike smaller attacks aimed at finding something embarrassing or derogatory about an executive or celebrity. ”As a general matter, huge breaches often result in less harm than targeted breaches,” he said. ”The notion that someone’s poring over this data is highly unlikely.”
The decision by Anthem to bring in the Federal Bureau of Investigation and go public with the breach is the kind of move that law enforcement officials have been encouraging for the last several months. F.B.I. officials have appeared at a number of industry conferences urging corporate executives to promptly report breaches and, when possible, share information about the breach with competitors.
But experts say health organizations like Anthem are likely to be vulnerable targets because they have been slower to adopt measures like keeping personal information in separate databases that can be closed off in an attack. They ”are generally less secure than financial service companies who have the same type of customer data,” said Avivah Litan, an analyst for Gartner who specializes in cybersecurity.
Last summer’s attack on JPMorgan Chase, for example, compromised the personal information of 83 million households and small businesses, but the breach was limited to nonfinancial information like addresses and phone numbers because the bank’s more sensitive information was walled off in a way the hackers could not penetrate.
Anthem’s fundamental mistake was to assume that information within its database was secure, said John Kindervag, an analyst with Forrester Research, and thus not apply the same protective standards the company uses when sending data to a doctor’s office. ”All cybercrime is an inside job,” he said, because the criminals are able to penetrate a database from the outside and act as an insider in gaining access to data, which is what occurred in the Anthem breach.
Current federal privacy regulations, and the industry standard, call for encrypting information that is being sent from the database. Health insurance companies frequently share information with doctors, hospitals and others. In fact, the sharing of medical records is encouraged by the federal government.
While the health industry has not previously experienced the large-scale breaches that have plagued retailers like Target and Home Depot, there have been smaller attacks. Statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services say there have been 740 major health care breaches affecting 29 million people over the last five years.
Katherine Keefe, global focus group leader for breach response services at Beazley, which underwrites cyberliability policies, said health care companies were attractive targets to hackers because of the wealth of sensitive personal information they maintained in their networks. She said the information that health providers maintain about consumers tended to be more valuable on the black market than the credit card information that is often stolen from on a retailer.
She said the combination of Social Security information and medical histories was a valuable commodity to criminals. The combination is enough for some of Anthem’s customers to become victims of identity theft or email phishing schemes in which criminals try to trick unsuspecting people into providing their credit card information.
Stolen medical information could also be used to make false insurance claims.
”The value to a criminal of having a full set of medical information on a person can go for $40 to $50 on the street. By contrast, a credit card number is often worth $4 or $5,” Ms. Keefe said.
(c) 2015 The New York Times Company
- 9 Feb, 2015
- Posted by admin
- 0 Comments