Vulnerabilities / Threats

3/18/2015
02:40 PM
100%
0%

Healthcare Breaches Like Premera First Stage Of Bigger Attacks?

With three new healthcare breaches announced this week, but no reported misuse of stolen data, what plans might attackers have for the identity records they pilfered from CHS, Anthem, Premera and others?

By Sara Peters and Ericka Chickowski -- This week brought news of three more healthcare data breaches, one of which left the personal data of 11 million individuals exposed. The incidents raise more questions about why China-based cyberespionage groups have taken a shine to American healthcare data and what plans they have for it. While shining harsh light on the deep cracks in the healthcare industry's security, the recent events also highlight the potential success of information sharing.   

Since a China-based advanced persistent threat group breached Community Health Systems (CHS) in April 2014, healthcare and medical insurance providers have been barraged by major data breaches, apparently at the hands of Chinese cyberespionage groups or other highly sophisticated criminal actors capable of creating custom malware. The largest event, of course, was that at insurer Anthem Healthcare, which exposed 80 million individuals' records. 

Tuesday, medical insurance providers LifeWise and Premera Blue Cross each separately reported that they were the latest to be the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera had 11 million customers potentially exposed; LifeWise 250,000. Also this week, in addition to the insurers, a healthcare provider -- Advantage Dental, which runs dental clinics in the Pacific Northwest -- notified 150,000 patients Monday that their personal information, excluding payment or clinical data, was breached.

"As a result of this news, it seems that all insurance providers need to be taking a closer look at their networks for possible intrusion patterns that match those of Premera Blue Cross and Anthem, then take necessary action," says Philip Casesa, director of IT/service operations for (ISC)2.

The Premera and LifeWise news is already being pegged by some security experts as potentially part of a broader campaign against insurers that could go back as far as 2013.

report brought forth by the firm ThreatConnect in late February warned that Premera was potentially the target of an Anthem-like attack that used malware "stongly believed to be associated with Chinese APT activity and in fact may have also been involved in a Blue Cross Blue Shield targeting campaign as early as December 2013." It was associated with "prennera.com," a fake domain meant to resemble Premera's. This technique is similar to the attack against Anthem -- formerly known as Wellpoint prior to a late 2014 rebrand -- in which a phony domain, "we11point.com," was used.

Mandiant is conducting the forensic investigations for the Premera, LifeWise, Anthem, and CHS breaches. They've thus far only revealed any attribution for the CHS event, which has been credited to an APT group they said had "typically sought valuable intellectual property, such as medical device and equipment development data."

So why change tactics? They could simply be trying to raise funds, or the attribution could be incorrect.

David B. Amsler, president and CIO of Foreground Security, has another theory. Foreground is a provider of SOC-level oversight and strategic counsel services to government and healthcare, including HHS.

"This is a clear sign of a larger, major campaign by select, sophisticated groups to gather significant information for use in a second phase of attacks," says Amsler, "most likely on critical infrastructure—government and defense systems, financial services, and power companies and utilities.”

How exactly could PII be employed for a critical infrastructure attack? George Baker, director of professional services for Foreground says, “It’s all about the people. Social engineering is the best way into an organization, and the key is getting the right person to click on an email spear phishing link or attachment. Aside from monetizing stolen identity data, a sophisticated adversary who is targeting critical infrastructure can make their attacks more effective if they have information on the people who play key roles in the organization. Unfortunately, when healthcare systems are involved, that can involve other sensitive information about individuals and their families.” 

So far none of the breached organizations have detected fraudulent use of the compromised data, but it could eventually be sold and used for medical identity theft. According to recent research, medical ID theft increased by over 20 percent in 2014. Although the proportion of incidents conducted by individuals known by or close to the victim remain high, which is typical for that type of crime. 

The data stolen from these health insurers could also be used for purposes that have nothing to do with healthcare at all.

"Such information sells for 10 times the cost of stolen debit and credit card information," says Steve Grobman, chief technology officer of Intel Security, "given that the latter is more perishable. Personal information contained by healthcare organizations isn’t likely to change, whereas stolen card numbers are canceled soon after the theft is discovered. This shift in criminal focus has particular implications for healthcare. Security in a healthcare device is critical regardless of whether it is a networked nurses’ tablet, embedded medical device, or patients’ wearable.”

Anthem Connection?

Premera and Lifewise both say they discovered their breaches Jan. 29, the same day Anthem confirmed its own intrusion. It's possible the companies discovered their breaches thanks to Anthem sharing its indicators of compromise (IOC) with others in the healthcare community. 

While there may be a connection between the attacks -- which is a likely assumption to make if the indicators of compromise are the same, which has not been confirmed as of press time -- the Premera and LifeWise attacks did not occur as a result of Anthem. If anything, it's the other way around: Mandiant's investigations show that the Anthem attackers first intruded during December 2014. Both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

According to Casesa, the most troubling part of the compromise is the amount of time attackers had access to systems. Other experts believe that Premera and Anthem are emblematic of healthcare's inability to focus on protecting what matters.

"Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions:  over-reliance on 'guard the door' entry point security and simplistic single-key encryption schemes is a quaint and dangerous approach to a 21st century problem," says Richard Blech, CEO of SecureChannels, explaining that while there may be not perpetually sustainable way to prevent intrusions, healthcare organizations must do better securing the data those intruders seek. "Data with the highest levels of encryption possible will render said stolen data completely useless to the thief."

Trent Trelford, CEO of Covata concurs, explaining that health insurers are only working to secure networks data resides and travels on and not encrypting the data itself.

"For many of these companies, data security has been an afterthought or something they did not deem necessary," Trelford says. "However, this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information and it is the responsibility of corporations to take appropriate steps to ensure it is protected - this must include data encryption." 

Whoever and whatever's to blame, it isn't just healthcare companies and customers that should be concerned, says Adam Meyer, chief security strategist at SurfWatch Labs.

"I expect the healthcare industry to see increased attacks, which in turn increases risk across all industries as employees with plans provided by the impacted insurers are consistently targets of secondary attacks and victims of fraud," says Meyer. "All organizations should review their healthcare industry exposure and assess the impact as a supply chain risk that has a direct impact to the workforce.”

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Threat Intel: Finding Balance in an Overcrowded Market
Kelly Sheridan, Staff Editor, Dark Reading,  4/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.