Breach Response , Data Breach , Governance

Why Are Health Insurers Hacker Targets?

'Treasure Trove' of Personal Information Has High Appeal
Why Are Health Insurers Hacker Targets?

The massive cyber-attacks targeting health insurers Premera Blue Cross and Anthem Inc. make it clear that hackers increasingly view large healthcare organizations, especially payers, as attractive targets.

See Also: Moving from Vulnerability Management to Effective Vulnerability Response

"What makes Premera and Anthem high-visibility targets is the volume of personal data they have," privacy and security expert Kate Borten, founder of the consulting firm The Marblehead Group, tells Information Security Media Group. "Of course, every healthcare organization should be concerned, but smaller organizations are probably less visible targets."

Daniel Nutkis, CEO of the Healthcare Information Trust Alliance, testified during a March 18 U.S. House subcommittee hearing on cyberthreats: "Any healthcare organization is a treasure trove of personally identifiable information and protected health information and is very much a high value [target] ... for nation-states to hacktivists."

Millions Affected

Premera says it is notifying 11 million individuals about its breach. The Anthem hack affected 78.8 million individuals, making it the largest incident on the Department of Health and Human Services' tally of major health data breaches (see Anthem Hack Now Tops 'Wall of Shame').

A Premera spokesman told the Wall Street Journal that the Anthem and Premera incidents were "different cyberattacks." The FBI declined to offer a comment to ISMG about its investigations into the cyberattacks and whether the incidents are related.

Earlier this month, a report from ThreatConnect, a threat intelligence product and services vendor, said clues in the Anthem breach suggest the attack was launched from China. The report noted that malware used in the Anthem attack contained malicious code that ThreatConnect says has been exclusively used in the past by Chinese APT groups (see Anthem Attribution to China: Helpful?). The Wall Street Journal reports that some experts see signs of similar links to China in the Premera hack.

But Deborah Kobza, executive director of the National Health Information Sharing and Analysis Center, says the China link in both attacks is "only speculation at this point," and that there's been "no confirmation."

On March 18, an Athem spokesperson told ISMG that the insurer has "no new information from the investigation to share with regard to the origin of the attack. We're continuing to work with the FBI and hope to have more to offer upon completion of the investigation soon."

Multiple Motives

Darrell Burkey, a product director at security vendor Check Point Software Technologies, says hackers have multiple potential motives for stealing data from health insurers.

"The information can feed many illicit business opportunities," he says. That ranges from using the data for fraudulent claims to insurers to intercepting Medicare payments. But other motives include "blackmailing wealthy, famous, important people to either pay ransom or their health records will be released," he says. "Consider the wholesome Hollywood [star] that has illicit infections or prominent CEO undergoing counseling or has some dire disease, etc."

Similarly, Borten notes that when millions of personal records are reaped, "the first potential gain is money linked to the sale of the data for identity theft. It is puzzling, however, that Premera reports an intrusion, but no indication that the data was removed."

Data from the Anthem hack hasn't shown up yet on the black market, Kobza says. But stolen information from the recent health insurer attacks eventually could be offered for sale by fraudsters, experts say.

"It's like stealing a famous painting - getting rid of it quietly and profitably is the hard part," says Cameron Camp, security researcher at ESET, a security consulting and technology firm. "In the case of the Anthem breach, it would be better for attackers to either trickle it out into the market, or use it for some secondary attack, like fraudulently filing fake tax returns or other scams."

Although Borten acknowledges that data stolen from Anthem and Premera could turn up on the black market, she says there could be other motives for the assaults. "This was a stealth attack, so it wasn't for a public political reason. It may have been simply a probe to see how vulnerable such organizations are, especially if this was a foreign attack," she says.

Richard Barger, ThreatConnect's chief intelligence officer, says hackers could have targeted the insurers for specific reasons. "Both Anthem and Premera cover a large number of U.S. Federal government employees. If a foreign government obtained sensitive information on the federal workforce, they could leverage this for blackmail or to enable HUMINT [human intelligence] asset development," he says.

Breaking In

So how much effort does it take to breach the IT systems of health insurers?

"In the case of Anthem, the attackers were able to gain access to an administrative account and do a database query," Camp says. "But that's certainly not the only piece to the puzzle, as they still had to do reconnaissance, exfiltration, persist in the network, do lateral discovery and cover their tracks. These aren't simple, cheap, or quick things to do, either in Anthem or the current [Premera] breach."

Jason Matlof, executive vice president at LightCyber, a breach detection solutions firm, notes: "For a professional cybercriminal, it is not terribly difficult to breach a company's network. While legacy threat prevention systems are about 95 percent effective in blocking intrusion attempts, that leaves five percent wide open for cybercriminals to make nearly unlimited attempts to get in with no risks or downside" he says.

In a statement, Premera, based in Mountlake Terrace, Wash., says the company on Jan. 29 discovered that cyber-attackers had executed a sophisticated attack to gain unauthorized access to its IT systems. However, further investigation revealed the initial attack occurred on May 5, 2014, Premera says.

Some security experts say the attack on Premera may have begun months earlier than that. "ThreatConnect found evidence that the faux Premera infrastructure was staged as early as December 2013," ThreatConnect's Barger says. "Initial reports on the Premera breach have indicated that the attack began in May 2014, however, based upon the data that we are seeing, it is likely that there maybe have been a more long-term effort or at least interest, thus broadening the possible window of exposure."

Meanwhile, the Anthem breach, which was announced on Feb. 4, likely began as early as Dec. 10, 2014, with intrusions likely continuing until Jan. 27, according to a company spokeswoman.

So why did it take months for these cyberattacks to be discovered?

"Detection of an attack takes about 205 days on average, which is long, but better than the average of 229 days last year," Richard Bejtlich, chief security strategist at the security firm FireEye, testified during the March 18 House subcommittee hearing. And 70 percent of the time, organizations learn about a breach from the FBI or other external, rather than detecting it themselves, he said.

Camp told members of the House panel: "Attackers want to persist undetected for as long as they can, so if you didn't catch them attacking you, it's also likely that unless they slip up, you wouldn't notice them silently looking around for things to steal, or possibly even as they spirit data out your digital front door and onto the Internet."

The Wrong Focus

Among the issues that also contribute to the healthcare sector's vulnerability is that the industry long has been "focused on compliance rather than risk-based security," Nutkis testified.

So if the healthcare sector is a growing target of attackers, what should organizations do to step up their defense and detection?

Using smaller databases, protected by robust access controls, could help reduce the damage when attackers strike, Borten, the consultant, suggests. "If older or archived data were kept separately with fewer users having access permissions" the number of records breached in these attacks could have been reduced, she says.

Also, improved cyberthreat information sharing within the healthcare sector could help thwart breaches, Camp says. "If victim organizations can share with others in their trust groups who defend health sector organizations, the whole sector will benefit, especially if that can happen rapidly."

NH-ISAC's Kobza is hopeful that recent hacker attacks will help all healthcare organizations to realize they need to share threat intelligence to help thwart attacks. "This is the model that has been adopted in other critical infrastructure sectors, and given the size of the prize in healthcare, it should become our standard as well."

Lysa Myers, a security researcher at ESET, adds that healthcare organizations can take steps to "retrofit" their systems to better defend against hackers. "Encrypting sensitive data, multi-factor authentication, network segmentation, ongoing employee security training - these things all can be fit into existing systems and they can significantly improve the defenses businesses have in place," she says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network