Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/8/2019
12:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Humana Breaches Reflect Chronic Credential Theft in Healthcare

A series of 2018 cybersecurity incidents shows credential stuffing is a trend to watch among healthcare organizations.

On Oct. 25, 2018, Bankers Life informed Humana of "unusual activity" affecting its systems. This was among the last breaches Humana disclosed in 2018 but far from the first.

Bankers Life, which does business with the health insurance company, first noticed suspicious activity on Aug. 7, 2018. An investigation with an external forensics investigator revealed that an unknown, unauthorized actor obtained system credentials for Bankers Life employees and gained access to websites where people can log in to apply for Humana healthcare policies, the company recently disclosed

Investigators found the breach affected consumer insurance applications and data within them, including their birthdates, addresses, last four digital of Social Security numbers, and insurance-related data (policy or application numbers, type and cost of coverage, for example). The intruder had access to the data from May 30 through Sept. 13, officials report.

"What is alarming are the timelines of the attack, which show that the attack ran from May through to September," says Garrett O'Hara, principal consultant at Mimecast. "This is not unusual, but does raise questions around what activity was happening in the background."

This incident did not compromise full Social Security numbers, banking or credit card data, or any information about individuals' health or medical care, Humana explained in its breach disclosure. Bankers Life is offering a year of free identity repair and credit monitoring services, and "took steps to further restrict and monitor access to its systems and enhance additional security procedures, including additional training for certain employees," the company said.

"Based on the current reporting, this breach appears to be pretty typical," says Matthew Gardiner, security strategist at Mimecast. "In many cases, the attacker doesn't even know what they are going to do with the stolen data until they steal and evaluate it." It's common, he adds, for cybercriminals to steal data before looking for secondary black market to sell it into.

Credential Compromise is Chronic 

Credential-harvesting attacks have become one of the most prevalent attack types not only in healthcare, but for all organizations, says Gardiner. However, because of legal requirements to report breaches, disclosures disproportionally appear in public from healthcare firms. The rise in online applications, combined with single authentication factors, makes credential theft "a natural stepping stone for cybercriminals" and results in these types of cyberattacks, he adds.

The Bankers Life incident wasn't the first incident of credential stuffing for Humana in 2018. This summer brought a phishing attack to Family Physicians Group (FPG), a firm Humana acquired in April and one of the largest healthcare providers for Medicare and Medicaid patients in Central Florida, as per HIPAA Journal, which says FPG has 22 clinics in the area.

Similar to the Bankers Life incident, this one involved compromised credentials. Investigators analyzing the FPG attack learned an intruder broke into an employee's email account with credentials they were given when an employee responded to a phishing message. The actor(s) broke into the account on Aug. 7, 2018 and continued to have access to it until Aug. 21.

In total, the FPG attack exposed the data of 8,400 patients. Affected information did not include financial data or Social Security numbers. It did include names, birthdates, physicians' names, and health insurance information. FPG so far has no indication the data was abused but had employees change their passwords and took steps to protect email accounts from phishing.

Humana also notified members of a credential-stuffing incident in early July following an attack on Humana.com and Go365.com. In early June, the company detected a "significant increase" in secure login errors after several attempts to log into both Humana and Go365 from foreign countries. Its security operations team blocked the intruding IP addresses on June 4, 2018.

The volume of attacks indicated a "large and broad-based automated attack," reported Jim Theiss, Humana's chief privacy officer, in a letter dated June 21. It seems the attacker had a large amount of user IDs and passwords, and was attempting to see which combinations were valid. The amount of failures shows the ID/password combos didn't come from Humana.

What to Do About It

Dr. Asem Othman, team lead for biometric science at Veridium, says health credentials are worth more than other credentials on the Dark Web. The Bankers Life/Humana breach demonstrates how priviliged access management, like database access, needs to be carefully managed with stronger authentication requirements and approval from administrators and/or supervisors.

Biometric authentication is making its mark in healthcare, says Dr. Othman. For example, patients seek touchless biometrics like FaceID and fingerprint logins. In some operating rooms, periocular (a scan of the eye area) and voice can both prove useful. "Replacing passwords with biometrics will ensure secure yet convenient access to health and insurance records, and provide true identity authentication, preventing leaks of PII as seen in the Bankers Life breach."

While investment in technology for protection is crucial, says O'Hara, people will continue to be weak points in security as both sophisticated and simple social engineering attacks give attackers access to credentials. The value of healthcare data, combined with "traditionally limited budgets" for healthcare's IT and security teams, increases the appeal to attackers.

"The huge downward pressure to do more with less will see legacy medical systems, often out-of-date and unpatched, being used as a stepping stone into more lucrative systems," he adds.

Because of this, he strongly advises end-user education programs to help employees both understand cybersecurity and become invested in protecting the company they work for. Regular and relevant education, while difficult, can help get through to employees.

Humana did not respond to request for comment on this article.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/9/2019 | 7:04:10 AM
User Education
And include C-SUITE EDUCATION too - management has to understand the significance.  Generally does not.  Users are the front line of infections - one lady brought down North Carolina through an infected attachment.  But management has to give this subject the respect and budget it deserves.  Why?  Equifax.  Case closed.
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15224
PUBLISHED: 2019-08-19
The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
CVE-2019-15225
PUBLISHED: 2019-08-19
In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
CVE-2019-15223
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver.
CVE-2019-15211
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.
CVE-2019-15212
PUBLISHED: 2019-08-19
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver.