A data security expert explains how a huge cyber attack on one of the nation's largest health plans could be the catalyst that makes the healthcare industry take significant steps toward improving data security.
Anthem Health's massive data breach announced Thursday sent shockwaves through the healthcare information technology sector. As many as 80 million people may have had personal data compromised, placing them at risk of identity fraud, Anthem reported.
|
Dwayne Melancon, |
Investigators, including the FBI, are sifting through what happened, attempting to determine how security was breached, who may have done it, and what will happen to the stolen information.
Dwayne Melancon, chief technology officer with Portland, OR-based Tripwire, a security software provider, spoke with HealthLeaders Media Thursday about the potential ramifications for healthcare data collection, storage, and security. The following is an edited transcript.
HLM: How can the stolen data be used?
Dwayne Melancon: This is a different level than just losing a credit card number. It would be easy to create a lot of chaos with this. Unlike credit card data or email addresses that don't tend to affect you personally from a financial perspective, when people start losing Social Security numbers, health data, previous employer data, and previous address data, problems arise.
HLM: Anthem calls this a "very sophisticated" attack. What does that mean?
DM: That generally means that the attackers were able to get into the systems where they could probably impersonate employees or administrator accounts. With a brute force attack somebody might be able to guess a password, log into a site, and steal data.
A more sophisticated attack would implant malware in your network and make configuration changes to allow them to get back in later, poke around the network, and look for more data. In some cases we have seen attackers create temporary storage locations on a company's network, pile a bunch of employee or customer data into the location, and run a script to exfiltrate that data out of the corporate network to some other site so they can do what they want with it later.
HLM: Who would be capable of doing this?
DM: One person could do it but probably not alone. They need to get information. In a lot of cases people will tap into other attackers who have profiled the network and have found a specific vulnerability that can be taken advantage of to access the network.
In other breaches people have been able to find ex-employees and get information to create custom malware. The Target breach was indirect—through an air conditioner contractor. That is part of the reconnaissance that these criminals do. They will use that knowledge to create a piece of malware that is custom-tailored to the target organization and is difficult to detect because they know your patterns, they know what you watch for, and they are able to fly in under the radar.
HLM: How will we be able to determine if this stolen data is being put to ill use?
DM: There are a number of organizations, including law enforcement and independent security research firms, which regularly watch the places where this kind of information is sold. They will look for data dumps that are associated with the Anthem breach. That will be a first indication that this information has been processed and is now being sold.
HLM: Would encrypting data prevent breaches?
DM: In a lot of cases encryption helps. In some cases, if people are able to impersonate a trusted user on your network, then they have the means to request the data in a legitimate query. Your systems will decrypt the data and give it to them.
Simply encrypting data is good, but often it is not enough. You also have to have good segregation of data, where you make sure that only a select groups of people can access sensitive data, that there are lots of controls around it, and make it more difficult for people to casually browse data and take it.
HLM: Is the healthcare sector good at protecting data?
DM: I would say they are ahead of retail but not as sophisticated as the financial industry. There has been a lot of emphasis on HIPAA to protect the personal data. That has helped a lot in terms of getting healthcare companies to put more controls around data to make it more difficult to access.
The challenge is that a sophisticated hacker with a lot of resources can sometimes get into a position where you can't tell the difference between them and a trusted employee. That is where the problems start.
HLM: What can the healthcare sector do to improve data security?
DM: Financial institutions are really good at data classification and segregation. Classification means they determine which data is the most sensitive and valuable. The more critical the data is the more security they wrap around it. Segregation means that even if you gain access to part of the data there are additional hoops you have to jump through to get to the rest of the data.
HLM: Do you have any idea what sort of HIPAA penalties Anthem will incur?
DM: There will be consequences, but rather than jump directly to punishing the victim I hope they try to determine how much of this was negligence and how much was somebody who was determined to hack into the system.
There is a tendency to say a company didn't know what they were doing. That is not always the case. In some cases people are able to compromise an insider or gain access to an obscure security vulnerability. In a lot of those cases it isn't negligence, it's just something people could not foresee.
I'd rather we see what the cause is and what the investigation turns up before we start calling for their heads on a stick. If they do find them to be negligent or short-sighted there should be consequences. But if they were taking reasonable measures and still got compromised, it may be that they had well-resourced, determined attackers and any organization could be vulnerable to that.
HLM: How do you expect the healthcare industry to respond to this breach?
DM: This will definitely increase the sense of urgency. We saw this with retailers and financial institutions when they were compromised. There was huge increase in security scrutiny. The boards and company management started talking about it. Investment in security increased.
A word of caution: Just because it's a dollar spent on security doesn't mean it's worth spending. All of this should be aligned within a good risk framework to make sure that people really are spending in a way that increases security, and doesn't just add window dressing.
We have seen a lot of cases where people have deployed technologies and either not implemented them properly or it was the wrong technology and they still got breached.
Rather than panic, I would rather that people take a more deliberate approach, see what we have learned from this, and then invest so that they shape of their spending for security matches the risk.
HLM: Does this breach change the way we assess health data security?
DM: It very well could be. People feel violated, and the more personal it feels, the more likely we are to take notice. This may be a bellwether moment where we look back in a few years and say the Anthem breach triggered all of this and healthcare information is much more secure because of this.
I hope that is what happens, because this is critical data that we need to protect. But time will tell to see how we react.
John Commins is the news editor for HealthLeaders.