Vulnerabilities / Threats

02:40 PM

Healthcare Breaches Like Premera First Stage Of Bigger Attacks?

With three new healthcare breaches announced this week, but no reported misuse of stolen data, what plans might attackers have for the identity records they pilfered from CHS, Anthem, Premera and others?

By Sara Peters and Ericka Chickowski -- This week brought news of three more healthcare data breaches, one of which left the personal data of 11 million individuals exposed. The incidents raise more questions about why China-based cyberespionage groups have taken a shine to American healthcare data and what plans they have for it. While shining harsh light on the deep cracks in the healthcare industry's security, the recent events also highlight the potential success of information sharing.   

Since a China-based advanced persistent threat group breached Community Health Systems (CHS) in April 2014, healthcare and medical insurance providers have been barraged by major data breaches, apparently at the hands of Chinese cyberespionage groups or other highly sophisticated criminal actors capable of creating custom malware. The largest event, of course, was that at insurer Anthem Healthcare, which exposed 80 million individuals' records. 

Tuesday, medical insurance providers LifeWise and Premera Blue Cross each separately reported that they were the latest to be the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera had 11 million customers potentially exposed; LifeWise 250,000. Also this week, in addition to the insurers, a healthcare provider -- Advantage Dental, which runs dental clinics in the Pacific Northwest -- notified 150,000 patients Monday that their personal information, excluding payment or clinical data, was breached.

"As a result of this news, it seems that all insurance providers need to be taking a closer look at their networks for possible intrusion patterns that match those of Premera Blue Cross and Anthem, then take necessary action," says Philip Casesa, director of IT/service operations for (ISC)2.

The Premera and LifeWise news is already being pegged by some security experts as potentially part of a broader campaign against insurers that could go back as far as 2013.

report brought forth by the firm ThreatConnect in late February warned that Premera was potentially the target of an Anthem-like attack that used malware "stongly believed to be associated with Chinese APT activity and in fact may have also been involved in a Blue Cross Blue Shield targeting campaign as early as December 2013." It was associated with "," a fake domain meant to resemble Premera's. This technique is similar to the attack against Anthem -- formerly known as Wellpoint prior to a late 2014 rebrand -- in which a phony domain, "," was used.

Mandiant is conducting the forensic investigations for the Premera, LifeWise, Anthem, and CHS breaches. They've thus far only revealed any attribution for the CHS event, which has been credited to an APT group they said had "typically sought valuable intellectual property, such as medical device and equipment development data."

So why change tactics? They could simply be trying to raise funds, or the attribution could be incorrect.

David B. Amsler, president and CIO of Foreground Security, has another theory. Foreground is a provider of SOC-level oversight and strategic counsel services to government and healthcare, including HHS.

"This is a clear sign of a larger, major campaign by select, sophisticated groups to gather significant information for use in a second phase of attacks," says Amsler, "most likely on critical infrastructure—government and defense systems, financial services, and power companies and utilities.”

How exactly could PII be employed for a critical infrastructure attack? George Baker, director of professional services for Foreground says, “It’s all about the people. Social engineering is the best way into an organization, and the key is getting the right person to click on an email spear phishing link or attachment. Aside from monetizing stolen identity data, a sophisticated adversary who is targeting critical infrastructure can make their attacks more effective if they have information on the people who play key roles in the organization. Unfortunately, when healthcare systems are involved, that can involve other sensitive information about individuals and their families.” 

So far none of the breached organizations have detected fraudulent use of the compromised data, but it could eventually be sold and used for medical identity theft. According to recent research, medical ID theft increased by over 20 percent in 2014. Although the proportion of incidents conducted by individuals known by or close to the victim remain high, which is typical for that type of crime. 

The data stolen from these health insurers could also be used for purposes that have nothing to do with healthcare at all.

"Such information sells for 10 times the cost of stolen debit and credit card information," says Steve Grobman, chief technology officer of Intel Security, "given that the latter is more perishable. Personal information contained by healthcare organizations isn’t likely to change, whereas stolen card numbers are canceled soon after the theft is discovered. This shift in criminal focus has particular implications for healthcare. Security in a healthcare device is critical regardless of whether it is a networked nurses’ tablet, embedded medical device, or patients’ wearable.”

Anthem Connection?

Premera and Lifewise both say they discovered their breaches Jan. 29, the same day Anthem confirmed its own intrusion. It's possible the companies discovered their breaches thanks to Anthem sharing its indicators of compromise (IOC) with others in the healthcare community. 

While there may be a connection between the attacks -- which is a likely assumption to make if the indicators of compromise are the same, which has not been confirmed as of press time -- the Premera and LifeWise attacks did not occur as a result of Anthem. If anything, it's the other way around: Mandiant's investigations show that the Anthem attackers first intruded during December 2014. Both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

According to Casesa, the most troubling part of the compromise is the amount of time attackers had access to systems. Other experts believe that Premera and Anthem are emblematic of healthcare's inability to focus on protecting what matters.

"Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions:  over-reliance on 'guard the door' entry point security and simplistic single-key encryption schemes is a quaint and dangerous approach to a 21st century problem," says Richard Blech, CEO of SecureChannels, explaining that while there may be not perpetually sustainable way to prevent intrusions, healthcare organizations must do better securing the data those intruders seek. "Data with the highest levels of encryption possible will render said stolen data completely useless to the thief."

Trent Trelford, CEO of Covata concurs, explaining that health insurers are only working to secure networks data resides and travels on and not encrypting the data itself.

"For many of these companies, data security has been an afterthought or something they did not deem necessary," Trelford says. "However, this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information and it is the responsibility of corporations to take appropriate steps to ensure it is protected - this must include data encryption." 

Whoever and whatever's to blame, it isn't just healthcare companies and customers that should be concerned, says Adam Meyer, chief security strategist at SurfWatch Labs.

"I expect the healthcare industry to see increased attacks, which in turn increases risk across all industries as employees with plans provided by the impacted insurers are consistently targets of secondary attacks and victims of fraud," says Meyer. "All organizations should review their healthcare industry exposure and assess the impact as a supply chain risk that has a direct impact to the workforce.”

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.