Vulnerabilities / Threats

Healthcare Breaches Like Premera First Stage Of Bigger Attacks?

With three new healthcare breaches announced this week, but no reported misuse of stolen data, what plans might attackers have for the identity records they pilfered from CHS, Anthem, Premera and others?

By Sara Peters and Ericka Chickowski -- This week brought news of three more healthcare data breaches, one of which left the personal data of 11 million individuals exposed. The incidents raise more questions about why China-based cyberespionage groups have taken a shine to American healthcare data and what plans they have for it. While shining harsh light on the deep cracks in the healthcare industry's security, the recent events also highlight the potential success of information sharing.   

Since a China-based advanced persistent threat group breached Community Health Systems (CHS) in April 2014, healthcare and medical insurance providers have been barraged by major data breaches, apparently at the hands of Chinese cyberespionage groups or other highly sophisticated criminal actors capable of creating custom malware. The largest event, of course, was that at insurer Anthem Healthcare, which exposed 80 million individuals' records. 

Tuesday, medical insurance providers LifeWise and Premera Blue Cross each separately reported that they were the latest to be the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera had 11 million customers potentially exposed; LifeWise 250,000. Also this week, in addition to the insurers, a healthcare provider -- Advantage Dental, which runs dental clinics in the Pacific Northwest -- notified 150,000 patients Monday that their personal information, excluding payment or clinical data, was breached.

"As a result of this news, it seems that all insurance providers need to be taking a closer look at their networks for possible intrusion patterns that match those of Premera Blue Cross and Anthem, then take necessary action," says Philip Casesa, director of IT/service operations for (ISC)2.

The Premera and LifeWise news is already being pegged by some security experts as potentially part of a broader campaign against insurers that could go back as far as 2013.

report brought forth by the firm ThreatConnect in late February warned that Premera was potentially the target of an Anthem-like attack that used malware "stongly believed to be associated with Chinese APT activity and in fact may have also been involved in a Blue Cross Blue Shield targeting campaign as early as December 2013." It was associated with "prennera.com," a fake domain meant to resemble Premera's. This technique is similar to the attack against Anthem -- formerly known as Wellpoint prior to a late 2014 rebrand -- in which a phony domain, "we11point.com," was used.

Mandiant is conducting the forensic investigations for the Premera, LifeWise, Anthem, and CHS breaches. They've thus far only revealed any attribution for the CHS event, which has been credited to an APT group they said had "typically sought valuable intellectual property, such as medical device and equipment development data."

So why change tactics? They could simply be trying to raise funds, or the attribution could be incorrect.

David B. Amsler, president and CIO of Foreground Security, has another theory. Foreground is a provider of SOC-level oversight and strategic counsel services to government and healthcare, including HHS.

"This is a clear sign of a larger, major campaign by select, sophisticated groups to gather significant information for use in a second phase of attacks," says Amsler, "most likely on critical infrastructure—government and defense systems, financial services, and power companies and utilities.”

How exactly could PII be employed for a critical infrastructure attack? George Baker, director of professional services for Foreground says, “It’s all about the people. Social engineering is the best way into an organization, and the key is getting the right person to click on an email spear phishing link or attachment. Aside from monetizing stolen identity data, a sophisticated adversary who is targeting critical infrastructure can make their attacks more effective if they have information on the people who play key roles in the organization. Unfortunately, when healthcare systems are involved, that can involve other sensitive information about individuals and their families.” 

So far none of the breached organizations have detected fraudulent use of the compromised data, but it could eventually be sold and used for medical identity theft. According to recent research, medical ID theft increased by over 20 percent in 2014. Although the proportion of incidents conducted by individuals known by or close to the victim remain high, which is typical for that type of crime. 

The data stolen from these health insurers could also be used for purposes that have nothing to do with healthcare at all.

"Such information sells for 10 times the cost of stolen debit and credit card information," says Steve Grobman, chief technology officer of Intel Security, "given that the latter is more perishable. Personal information contained by healthcare organizations isn’t likely to change, whereas stolen card numbers are canceled soon after the theft is discovered. This shift in criminal focus has particular implications for healthcare. Security in a healthcare device is critical regardless of whether it is a networked nurses’ tablet, embedded medical device, or patients’ wearable.”

Anthem Connection?

Premera and Lifewise both say they discovered their breaches Jan. 29, the same day Anthem confirmed its own intrusion. It's possible the companies discovered their breaches thanks to Anthem sharing its indicators of compromise (IOC) with others in the healthcare community. 

While there may be a connection between the attacks -- which is a likely assumption to make if the indicators of compromise are the same, which has not been confirmed as of press time -- the Premera and LifeWise attacks did not occur as a result of Anthem. If anything, it's the other way around: Mandiant's investigations show that the Anthem attackers first intruded during December 2014. Both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

According to Casesa, the most troubling part of the compromise is the amount of time attackers had access to systems. Other experts believe that Premera and Anthem are emblematic of healthcare's inability to focus on protecting what matters.

"Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions:  over-reliance on 'guard the door' entry point security and simplistic single-key encryption schemes is a quaint and dangerous approach to a 21st century problem," says Richard Blech, CEO of SecureChannels, explaining that while there may be not perpetually sustainable way to prevent intrusions, healthcare organizations must do better securing the data those intruders seek. "Data with the highest levels of encryption possible will render said stolen data completely useless to the thief."

Trent Trelford, CEO of Covata concurs, explaining that health insurers are only working to secure networks data resides and travels on and not encrypting the data itself.

"For many of these companies, data security has been an afterthought or something they did not deem necessary," Trelford says. "However, this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information and it is the responsibility of corporations to take appropriate steps to ensure it is protected - this must include data encryption." 

Whoever and whatever's to blame, it isn't just healthcare companies and customers that should be concerned, says Adam Meyer, chief security strategist at SurfWatch Labs.

"I expect the healthcare industry to see increased attacks, which in turn increases risk across all industries as employees with plans provided by the impacted insurers are consistently targets of secondary attacks and victims of fraud," says Meyer. "All organizations should review their healthcare industry exposure and assess the impact as a supply chain risk that has a direct impact to the workforce.”

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.