In announcing its information network had been hacked and protected health information for 10 million individuals may have been compromised, Excellus Blue Cross BlueShield used a familiar phrase in its notice.

The company said it “learned that cyber attackers had executed a sophisticated attack to gain unauthorized access to our information technology systems.” The pertinent words here are “learned” and “sophisticated,” and other organizations hacked have used the same terms.

“Learned” has generally meant that a law enforcement agency—usually local police or the FBI—discovered the hack while investigating other cyber attacks and notified the organization, which had not found the attack on its own. “Sophisticated” makes sure everyone knows that this was an attack by persons who were professional hackers who knew what they were doing and wasn’t something that could be easily found.

It is not clear if Excellus learned of the hacking of its network on its own or was notified by an outside organization; the insurer has not responded to a request for additional information. Dave Damato, chief security officer at data network platform vendor Tanium, who also served as the lead investigator of the Anthem hack, says there are a number of ways an organization could learn of a hacking, including the hiring of outside investigators to perform a breach indicator assessment of networks.

Also See: 10 Million People Impacted by Data Breach at Excellus BCBS

Asked why following a year of major cyber attacks that so many organizations still aren’t finding that they were hacked, Damato notes that health information technology defenses until recently were not designed for these advanced types of attacks, so the industry is playing catch-up. Further, the malware initially installed in a network, which may sit unnoticed for an extended period, often is not detectable to an organization. Now, the industry faces developing strategies to increase the dedication of security resources to counter nation-states and criminals.

What is required, Damato adds, are tools to customize alerting for anomalies in a network, such as misuse of network accounts. Other tools can track various types of network traffic, movement of certain data types, the behavior of user accounts and other network activity.

An indicator of the cyber attack problem starting to be solved will come when organizations announce hacks that didn’t start months or years ago—that they found the attack quickly—which really hasn’t happened yet, Damato says. “Until then, we’ll continue to see more organizations experience similar news.”

That said, the healthcare industry is definitely more aware of the cyber threat than it was a year ago, Damato adds. “Despite that awareness, it will take some time to shift strategies to prevent such attacks.” However, there also are successes being made in the trenches, of attacks found and stopped before significant damage is done because of proactive efforts often supported by professional security firms. Still, the battle remains one-sided for now. “An organization has to defend hundreds or thousands of endpoints while an attack only needs to find one way in.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access