Anthem Hack is Healthcare’s Wake Up Call

Register now

When the country’s second-largest health insurance company is hacked leaving the personal information of 80 million people vulnerable to identity theft, it’s a watershed moment that cannot be ignored. There is no doubt that this data breach is a wake-up call for a healthcare industry that is lacking when it comes to information security.

As Lynne Dunbrack, research vice president at IDC Health Insights, observes, healthcare organizations today are “at greater risk of a cyberattack than ever before, in part because electronic health information is more widely available today than in the nearly 20 years since the Health Insurance Portability and Accountability Act was passed.” However, no one should be surprised that cybercriminals view the healthcare industry in general as a soft target.

Last year, the FBI’s Cyber Division warned industry that healthcare systems were at risk for increased cyber intrusions “due to mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market.” Yet, the concerns of law enforcement that the healthcare industry was not as resilient to cyber intrusions compared to the financial and retail sectors went unheeded.

In fact, when it comes to health data breaches, 2014 was a milestone year with healthcare organizations accounting for about 42 percent of all major data breaches reported last year, according to the Identity Theft Resource Center. In August, Franklin, Tenn.-based Community Health Systems—with 206 hospitals in 29 states—reported that it had been hacked with protected health information covering 4.5 million patients compromised by Chinese hackers. But, that number pales in comparison to the 80 million people affected by the Anthem hacking, which investigators say also points to hackers operating in China.

According to Philip Casesa, director of IT/Service Operations at the International Information System Security Certification Consortium, identity attacks such as the one on Anthem have a longer lasting and more devastating impact than credit card breaches which are quickly mitigated by issuing a new card and account number. “The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow attackers to sell this information to other criminal operations,” says Casesa. “Other potential issues with identity breaches involve the ability for the hackers to commit massive fraud themselves by creating accounts with credit card companies or other financial institutions, causing the victim to cope with the fallout from such a violation for an extended period of time.”

Looking for Causes

While the exact details on how hackers penetrated Anthem’s networks remain murky in this early stage of forensics, what is known is that this was an external attack, according to Ian Amit, vice president of cybersecurity vendor ZeroFOX.

“Beyond deflecting potential criticism on insider participation, it's highly likely that such an attack involved a hybrid approach vector—targeting both technical weaknesses in the Anthem infrastructure, as well as weaknesses in employee awareness and processes," argues Amit. “Successfully breaching an organization of this size isn't about finding some vulnerability on a web server, but about having an opportunity to breach several layers of controls, again, most likely by coercing someone to act in an insecure manner.”

To Anthem’s credit, the company immediately reported the breach to authorities and informed their customers. Adam Meyer, chief security strategist at SurfWatch Labs and former CISO at the Washington Metropolitan Area Transit Authority, says Anthem discovered the attack when a database administrator noticed unauthorized queries running with admin credentials. “Data exfiltration was performed through an external web storage provider commonly used by U.S. companies, which suggests a service such as Google Cloud, Microsoft One Drive, or Dropbox was utilized to reduce chances of detection,” asserts Meyer.

Regardless, the fact remains that healthcare organizations have historically invested less in information technology—including security technologies and services—than other industries. This aversion to investment in information security has its own price, though. Breaches are costing the healthcare industry as much as $5.6 billion annually, according to a 2014 estimate by the Ponemon Institute.

That figure is only expected to grow this year as the healthcare industry continues to be a vulnerable and attractive target for cybercriminals. Given the expanding number of access points to protected health information and other sensitive data via electronic health records and the growing popularity of wearable technology, Experian’s recently released annual Data Breach Industry Forecast predicts that healthcare will continue to be plagued with data breaches in 2015.

The prediction seems to have come true in spades with the Anthem disaster—potentially exposing the personal information of tens of millions of Americans—making it the largest healthcare breach in our country’s history. But, will the healthcare industry respond to the Anthem hacking incident in the same way that 9/11 jolted America to bolster homeland security? Only time will tell. Hopefully, it will not take an “electronic Pearl Harbor” for healthcare organizations to respond to this call to action to focus more time and resources on hardening their systems against these kinds of attacks.   

For reprint and licensing requests for this article, click here.