Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Healthcare Breaches Like Premera First Stage Of Bigger Attacks?

With three new healthcare breaches announced this week, but no reported misuse of stolen data, what plans might attackers have for the identity records they pilfered from CHS, Anthem, Premera and others?

By Sara Peters and Ericka Chickowski -- This week brought news of three more healthcare data breaches, one of which left the personal data of 11 million individuals exposed. The incidents raise more questions about why China-based cyberespionage groups have taken a shine to American healthcare data and what plans they have for it. While shining harsh light on the deep cracks in the healthcare industry's security, the recent events also highlight the potential success of information sharing.   

Since a China-based advanced persistent threat group breached Community Health Systems (CHS) in April 2014, healthcare and medical insurance providers have been barraged by major data breaches, apparently at the hands of Chinese cyberespionage groups or other highly sophisticated criminal actors capable of creating custom malware. The largest event, of course, was that at insurer Anthem Healthcare, which exposed 80 million individuals' records. 

Tuesday, medical insurance providers LifeWise and Premera Blue Cross each separately reported that they were the latest to be the target of sophisticated cyberattacks, which initiated May 5, 2014. Premera had 11 million customers potentially exposed; LifeWise 250,000. Also this week, in addition to the insurers, a healthcare provider -- Advantage Dental, which runs dental clinics in the Pacific Northwest -- notified 150,000 patients Monday that their personal information, excluding payment or clinical data, was breached.

"As a result of this news, it seems that all insurance providers need to be taking a closer look at their networks for possible intrusion patterns that match those of Premera Blue Cross and Anthem, then take necessary action," says Philip Casesa, director of IT/service operations for (ISC)2.

The Premera and LifeWise news is already being pegged by some security experts as potentially part of a broader campaign against insurers that could go back as far as 2013.

report brought forth by the firm ThreatConnect in late February warned that Premera was potentially the target of an Anthem-like attack that used malware "stongly believed to be associated with Chinese APT activity and in fact may have also been involved in a Blue Cross Blue Shield targeting campaign as early as December 2013." It was associated with "prennera.com," a fake domain meant to resemble Premera's. This technique is similar to the attack against Anthem -- formerly known as Wellpoint prior to a late 2014 rebrand -- in which a phony domain, "we11point.com," was used.

Mandiant is conducting the forensic investigations for the Premera, LifeWise, Anthem, and CHS breaches. They've thus far only revealed any attribution for the CHS event, which has been credited to an APT group they said had "typically sought valuable intellectual property, such as medical device and equipment development data."

So why change tactics? They could simply be trying to raise funds, or the attribution could be incorrect.

David B. Amsler, president and CIO of Foreground Security, has another theory. Foreground is a provider of SOC-level oversight and strategic counsel services to government and healthcare, including HHS.

"This is a clear sign of a larger, major campaign by select, sophisticated groups to gather significant information for use in a second phase of attacks," says Amsler, "most likely on critical infrastructure—government and defense systems, financial services, and power companies and utilities.”

How exactly could PII be employed for a critical infrastructure attack? George Baker, director of professional services for Foreground says, “It’s all about the people. Social engineering is the best way into an organization, and the key is getting the right person to click on an email spear phishing link or attachment. Aside from monetizing stolen identity data, a sophisticated adversary who is targeting critical infrastructure can make their attacks more effective if they have information on the people who play key roles in the organization. Unfortunately, when healthcare systems are involved, that can involve other sensitive information about individuals and their families.” 

So far none of the breached organizations have detected fraudulent use of the compromised data, but it could eventually be sold and used for medical identity theft. According to recent research, medical ID theft increased by over 20 percent in 2014. Although the proportion of incidents conducted by individuals known by or close to the victim remain high, which is typical for that type of crime. 

The data stolen from these health insurers could also be used for purposes that have nothing to do with healthcare at all.

"Such information sells for 10 times the cost of stolen debit and credit card information," says Steve Grobman, chief technology officer of Intel Security, "given that the latter is more perishable. Personal information contained by healthcare organizations isn’t likely to change, whereas stolen card numbers are canceled soon after the theft is discovered. This shift in criminal focus has particular implications for healthcare. Security in a healthcare device is critical regardless of whether it is a networked nurses’ tablet, embedded medical device, or patients’ wearable.”

Anthem Connection?

Premera and Lifewise both say they discovered their breaches Jan. 29, the same day Anthem confirmed its own intrusion. It's possible the companies discovered their breaches thanks to Anthem sharing its indicators of compromise (IOC) with others in the healthcare community. 

While there may be a connection between the attacks -- which is a likely assumption to make if the indicators of compromise are the same, which has not been confirmed as of press time -- the Premera and LifeWise attacks did not occur as a result of Anthem. If anything, it's the other way around: Mandiant's investigations show that the Anthem attackers first intruded during December 2014. Both Premera and LifeWise report that their first intrusions occurred several months earlier, in May.

According to Casesa, the most troubling part of the compromise is the amount of time attackers had access to systems. Other experts believe that Premera and Anthem are emblematic of healthcare's inability to focus on protecting what matters.

"Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions:  over-reliance on 'guard the door' entry point security and simplistic single-key encryption schemes is a quaint and dangerous approach to a 21st century problem," says Richard Blech, CEO of SecureChannels, explaining that while there may be not perpetually sustainable way to prevent intrusions, healthcare organizations must do better securing the data those intruders seek. "Data with the highest levels of encryption possible will render said stolen data completely useless to the thief."

Trent Trelford, CEO of Covata concurs, explaining that health insurers are only working to secure networks data resides and travels on and not encrypting the data itself.

"For many of these companies, data security has been an afterthought or something they did not deem necessary," Trelford says. "However, this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information and it is the responsibility of corporations to take appropriate steps to ensure it is protected - this must include data encryption." 

Whoever and whatever's to blame, it isn't just healthcare companies and customers that should be concerned, says Adam Meyer, chief security strategist at SurfWatch Labs.

"I expect the healthcare industry to see increased attacks, which in turn increases risk across all industries as employees with plans provided by the impacted insurers are consistently targets of secondary attacks and victims of fraud," says Meyer. "All organizations should review their healthcare industry exposure and assess the impact as a supply chain risk that has a direct impact to the workforce.”

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.