CareFirst BlueCross BlueShield stepped forward on Wednesday to disclose yet another major breach of a health care insurer, this one affecting 1.1 million people.
Hackers accessed a database to steal the names, user names, birth dates, email addresses and subscriber ID numbers of about 1.1 million current and former CareFirst customers and business partners.
The company said that no passwords were taken because those are encrypted and stored in a separate system, and that no Social Security numbers, medical claims or credit cards appeared to be compromised.
But Richard Blech, CEO of encryption company Secure Channels, was critical of CareFirst, saying the company trivialized what was hacked in the data breach.
“The data stolen is enough to ruin someone’s life,” Blech says. “Trying to mitigate the damage should not be the goal. Heath insurance firms cannot ignore the responsibility to protect their customers.”
Dave Frymier, chief information security officer at Unisys, concurs. “Breaches like this can literally create life-or-death issues for consumers,” Frymier says. “If stolen health records are used to obtain care by a criminal, fraudulently purchased medical procedures are listed on the records of people who did not have the procedures. That can create critical medical issues in the future. Organizations seem to only invest in cybersecurity after they are attacked. Few seem willing to invest to prevent the attacks in the first place.”
Baltimore-based CareFirst is the third health care insurer to disclose a major data breach this year, following Anthem, which had the records of 80 million people compromised, and Premera Blue Cross, which saw data for 11 million people exposed.
Why is the healthcare industry being targeted by data thieves? The basic explanation is two-fold: The type of data that health care organizations amass – ranging from research work to patient records – has high value in the cyber underground; and the industry currently exhibits uniformly poor security policies and practices.
“Healthcare companies are prime targets for hackers,” says Greg Kazmierczak, CTO of data security vendor Wave Systems. “Not only should the database have been encrypted, but access to the database should have been protected by two-factor authentication. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked.”
The question of the moment: How many more major data breaches will have to be disclosed before healthcare organizations move assertively to shore up security?
“It’s time for the healthcare entities to shift gears to modern data-security defenses and join their peers in other industries who’ve already learned how to mitigate these threats,” says Mark Bower, global product management director at HP Security Voltage.
The data breach was discovered after CareFirst retained forensics firm Mandiant to audit its security systems. Mandiant found evidence of access to a single database containing data originating from CareFirst’s websites and online services. Anyone who created profiles on the insurer’s website before June 20, 2014, was affected.
Other healthcare organizations are likely to conduct similar audits. Security experts predict that disclosure of other major hacks will be forthcoming, for some time to come.
“The medical industry as a whole has to up its game in security maturity, especially basics like patching, security controls and incident detection,” says Gavin Reid, vice president of threat intelligence at network security firm Lancope.
Ken Westin, senior security analyst at Tripwire, adds: “In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that are coming at them. As we saw with the recent tidal wave of retail breaches, attackers often take advantage of vulnerabilities that are endemic within an industry.”
In the meantime, the burden rests with the individual consumer to limit dissemination of personal data in the health care field.
“Share only with trusted providers that have a need to know,” Lancope’s Reid advises. “Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”
Meanwhile, healthcare organizations need to embrace a security mindset from the board room to the patient room. Until that happens, data thieves will continue to plunder their employee, patient and partner data.
“Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren’t obvious to the organization,” says Jay Schulman, managing principal at Cigital. ‘It’s not only about building effective software that adhere to compliance standards, but healthcare organizations also need to build security in so that applications and software can tell you when something is going wrong.”