CareFirst BlueCross BlueShield stepped forward on Wednesday to disclose yet another major breach of a health care insurer, this one affecting 1.1 million people.
Hackers accessed a database to steal the names, user names, birth dates, email addresses and subscriber ID numbers of about 1.1 million current and former CareFirst customers and business partners.
No passwords were taken since those are encrypted and stored in a separate system, and no Social Security numbers, medical claims or credit cards appeared to be compromised, the company said.
Richard Blech, CEO of encryption company Secure Channels, was critical of CareFirst, saying the company trivialized the type of data that was hacked.
“The data stolen is enough to ruin someone’s life,” Blech says. “Trying to mitigate the damage should not be the goal. Heath insurance firms cannot ignore the responsibility to protect their customers.”
Dave Frymier, chief information security officer at Unisys concurs. “Breaches like this can literally create life-or-death issues for consumers,” Frymier says. “If stolen health records are used to obtain care by a criminal, fraudulently purchased medical procedures are listed on the records of people who did not have the procedures. That can create critical medical issues in the future. Organizations seem to only invest in cybersecurity after they are attacked. Few seem willing to invest to prevent the attacks in the first place.”
Baltimore-based CareFirst is the third health care insurer to disclose a major breach this year, following Anthem, which had the records of 80 million people compromised, and Premera Blue Cross, which saw data for 11 million people exposed.
Why is the healthcare industry being targeted by data thieves? The basic explanation is two-fold: The type of data that health care organizations amass – ranging from research work to patient records – has high value in the cyber underground; and the industry currently exhibits uniformly poor security policies and practices.
“Health care companies are prime targets for hackers,” says Greg Kazmierczak, CTO of data security vendor Wave Systems. “Not only should the database have been encrypted, but access to the database should have been protected by two-factor authentication. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked.”
The question of the moment: How many more major breaches will have to be disclosed before health care organizations move assertively to shore up security?
“It’s time for the health care entities to shift gears to modern data-security defenses and join their peers in other industries who’ve already learned how to mitigate these threats,” says Mark Bower, global product management director at HP Security Voltage.
The data breach was discovered last month after CareFirst retained forensics firm Mandiant to audit its security systems. Mandiant found evidence of access to a single database containing data originating from CareFirst’s websites and online services. Anyone who created profiles on the insurer’s website before June 20, 2014, was affected.
Other health care organizations are likely to conduct similar audits. Security experts predict that disclosure of other major hacks will be forthcoming, for some time to come.
“The medical industry as a whole has to up its game in security maturity, especially basics like patching, security controls and incident detection,” says Gavin Reid, vice president of threat intelligence at network security firm Lancope.
Ken Westin, senior security analyst at Tripwire, adds: “In general, health care organizations are not prepared for the level of sophistication associated with the attacks that are coming at them. As we saw with the recent tidal wave of retail breaches, attackers often take advantage of vulnerabilities that are endemic within an industry.”
In the meantime, the burden rests with the individual consumer to proactively limit dissemination of personal data in the health care field.
“Share only with trusted providers that have a need to know,” advises Lancope’s Reid. “Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”
Meanwhile, healthcare organizations need to embrace a security mindset from the board room to the patient room. Until that happens, data thieves will continue to plunder their employee, patient and partner data.
“Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren’t obvious to the organization,” says Jay Schulman, managing principal, at Cigital. ‘It’s not only about building effective software that adhere to compliance standards, but healthcare organizations also need to build security in so that applications and software can tell you when something is going wrong.”
View the original article here.
Find more articles featuring CEO Richard Blech visit securechannels.com