Protecting Against Anthem-Like AttacksExperts Offer 9 Tips for Minimizing Risk of Hacker Intrusions
In the aftermath of the massive data breach at Anthem Inc., privacy and security experts are offering tips for actions healthcare organizations can take to avoid becoming the next hacking victim.
Health insurer Anthem Inc. believes the attack that reportedly compromised up to 80 million individuals' unencrypted, personally identifiable information may have began with phishing e-mails sent to a handful of its employees. The e-mails were potentially used to trick the individuals into visiting malicious websites or executing malware (see Anthem Breach: Phishing Attack Cited).
As a result, healthcare organizations should re-evaluate their workforce training to help prevent employees from falling victim to social engineering hoaxes, such as phishing. But beyond that, a multilayered approach to securing sensitive data is essential.
"What we learned with retail and credit card heists is that a layered security approach is always required because you can be sure the criminals can penetrate one or two layers, but penetrating three or four or five layers makes their jobs that much harder and time consuming," says security expert Avivah Litan, an analyst at the consultancy Gartner, in a recent blog. She says healthcare organizations need to learn this and other lessons from the retail sector, which has been plagued by massive breaches.
Following are nine tips from privacy and security experts for how healthcare organizations can mitigate the risk that hackers will successfully attack their systems and compromise data.
1. Train Staff about Phishing Risks
Organizations must provide updated training about not responding to suspicious e-mails that are potentially phishing attempts, especially because, at first glance, these e-mails may look legitimate.
"The majority of breaches are caused by human error," notes Michael Bruemmer, vice president at Experian Data Breach Resolution. "Employees are on the front-line for protecting patient data and should be outfitted with the skills and knowledge they need to implement best practices.
Security expert Mac McMillan, CEO of consulting firm CynergisTek, stresses that it's important to teach employees to be suspicious of e-mails or even phone calls that involve providing information to unknown individuals.
2. Scrutinize Data Storage Practices
One important lesson from the Anthem breach is that healthcare organizations must carefully consider what data they really need to hold on to help minimize the risk involved if they're hacked.
"Healthcare organizations having large databases of personally identifiable data are increasingly the targets of cyberattacks," says security and privacy expert Kate Borten, principal at the consulting firm The Marblehead Group. "There is significant commercial value in this data, whether for financial identity theft, medical identity theft, or other purposes, such as identifying marketing and research targets."
Security and privacy expert Rebecca Herold, partner and co-owner of HIPAA Compliance Tools and CEO of The Privacy Professor, also says she's seeing more healthcare organizations insisting on using one massive database. Drivers for this trend include "storage becoming so inexpensive, and because the expanded use of cloud services often results in such massive databases," she says. But if an organization is considering storing massive amounts of sensitive data, it should ensure it has adequate access controls and other security controls in place, she adds.
3. Carefully Assess Encryption
Anthem has reportedly acknowledged its database that was breached was not encrypted.
HIPAA doesn't expressly require encryption if an organization documents that it has used another "reasonable and appropriate" safeguard to protect data. Nevertheless, Herold and other experts urge healthcare organizations to encrypt their data - not only in transit, but also while it's stored.
But encryption is not a "silver bullet" for guarding against data breaches. "Protecting large databases like Anthem's is a challenge," says Columbia University computer networking and security professor Steve Bellovin in a blog post. "In a case like the Anthem breach, the really sensitive databases are always in use. This means that they're effectively decrypted: the database management systems are operating on cleartext, which means that the decryption key is present in RAM somewhere." While access-control systems might prevent an attacker from grabbing that key, keeping such environments secure is challenging.
4. Take a Multilayer Security Approach
Healthcare organizations must acknowledge the boldness and persistence of cybercriminals determined to steal data, Gartner's Litan says. And that means they need to adopt a multilayer approach to security.
"Criminals know how to access encrypted data before it is encrypted - which it always is at some point," Litan says.
"If there are controls in an application, for example, metering data access, criminals will quickly learn what those controls are and get around them, for example by slowing down an attack and mimicking authorized human users," Litan says. In addition, "criminals' preferred modus operandi is to hijack existing privileged user accounts, which have access to otherwise protected or encrypted data, to gain access to the information they want."
As part of a multilayer approach, "organizations need to be on top of their standard configurations for servers and network devices, and ensure that old and weak protocols are replaced," Borten adds.
5. Implement and Test Detection Tools
To help defend against hackers, it's critical to implement intrusion prevention and detection systems and anti-malware applications, Herold says.
But once those tools are in place, there's also a need to follow up on questionable findings. Herold suggests logging access to databases containing sensitive data and regularly reviewing the access to identify suspicious activities. In addition, it's important to perform periodic penetration and vulnerability tests, she says.
6. Go Beyond a Focus on Compliance
Healthcare organizations need to go far beyond a focus on HIPAA compliance, security experts say.
"HIPAA's security rule was never intended by the government to be the 'be-all and end-all,'" Borten says. "Any covered entity or business associate thinking their security program need only comply with HIPAA to be secure is missing the boat. First, general security controls such as network controls are omitted by the rule; for example, there's no mention of firewalls. But certainly HHS expects them to be in place. Second, organizations can be fully compliant with HIPAA, PCI DSS, and other requirements and still suffer a breach."
At health insurer Aetna, HIPAA compliance is a component of a much broader risk management program, says Cynthia Michener, an Aetna spokeswoman. "We work diligently every day to monitor for threats and modify our systems and procedures with leading security measures to thwart attacks and help protect our data."
7. Limit Social Security Number Use
Because Social Security numbers are highly valued by hackers interested in committing identity theft, healthcare organizations should avoid using them as identifiers. In the Anthem hack, medical IDs/Social Security numbers were among the information exposed.
"This latest incident highlights the ongoing need for the health sector to move to a model that relies less on Social Security numbers," Michener says. "SSNs are highly marketable and valuable to hackers, and have been a standard part of the healthcare system for decades. The less SSNs are handled as part of business transactions, the smaller the opportunity that they can be exploited by hackers. "
In its proposed fiscal 2016 budget, the Department of Health and Human Services is seeking $50 million for a project to remove Social Security numbers from Medicare cards (see Obama Budget: Health Data Security Impact).
8. Keep an Eye on Vendors
Although the Anthem breach didn't involve the breach of a third party, many recent retailer breaches, including the massive attack against Target, started with a third-party breach. That's why healthcare organizations need to keep a closer eye on the security practices of their vendors, says Experian's Bruemmer.
Healthcare organizations should audit vendor's practices before signing a contract, he advises. "They should also conduct audits with all third-party vendors that have access to patient data on a semi-annual basis."
9. Share Cyber-Intelligence with Peers
Finally, to keep ahead of threats, it's important that healthcare organizations share cyber-intelligence with their peers.
To help promote wider cyber intelligence sharing in the healthcare sector in the wake of the Anthem breach, the Healthcare Information Trust Alliance announced on Feb. 9, that it is making changes and additions to its Cyber Threat Intelligence and Incident Coordination Center (C3). Those changes including providing a basic subscription to the HITRUST Cyber Threat XChange (CTX) for free, giving organizations of all sizes online access to a comprehensive array of cyber threat intelligence and industry indictors of compromise, including information associated with the Anthem breach.
News writer Jeffrey Roman contributed to this article.