Beyond compliance: HIPAA after Anthem

On the HIPAA side of the equation, you may be smiling as the second round of audits didn’t materialize in the fall as threatened. That smile may have widened when, in mid-January, the Director of the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) told the media that the new protocol for conducting the audits has yet to be created. And you could almost hear the healthcare sector sigh with relief when it heard that a timeline for resuming enforcement has not yet been set. But then this happened: “Health insurer Anthem hit by massive data breach” (AP) and “Anthem Insurance Cyberattack Has Possible Ties To China”(Reuters).

Unfortunately, data breach headlines have grown so big and so frequent – Target, Home Depot, JPMorgan Chase, Sony Pictures – that some of us in IT security now suffer from “breach fatigue.” This condition can cause one to overlook the significance of new breaches; however, breach fatigue cannot obscure the reality that the Anthem hack really is a big deal. Healthcare IT will now come under more scrutiny, and quicker, than any OCR audit program could ever muster. The fact that medical records appear not to have been stolen won’t stem the tide of inquiries and investigations. Being HIPAA compliant will not shield Anthem from negative fallout as it’s a healthcare entity that leaked enough personally identifiable information to commit a large amount of medical identity fraud and other crimes.

Remember those experts who said that securing healthcare data is not about complying with HIPAA, it’s about implementing appropriate controls based on realistic risk assessment? They were right. These days, the risks assessed must include everything from devious insiders to motivated outsiders with extensive resources and easy access to specialized skills and services. Those risks materialized at Anthem, exposing data on as many as 80 million current and former customers and employees, data that included client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers. Those are the facts, as we know them today. Other information has been offered up, such as “very sophisticated external cyberattack” and “a possible connection to China.”

But does it matter to Anthem, or the data subjects in this case, if the attack came from China or Florida? The lawsuits against Anthem will come thick and fast regardless of whether the stolen data is sold on the black market to identity scammers or mined by a foreign government to compromise targeted individuals. And calling the attack very sophisticated is not helpful, because it implies a lack of responsibility for letting the bad guys in. Remember the JPMorgan Chase breach? Characterized as sophisticated when first reported, it has been more recently attributed to a more mundane failure to implement two-factor authentication on a public-facing server.
CEOs who set a low bar for “sophisticated” help nobody, because here’s another Anthem fact, as reported by the Wall Street Journal: “A systems administrator noticed that a database query was being run using his identifier code although he hadn’t initiated it.” This is helpful, because it reminds us of the many ways in which data protected under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH) can be compromised.

Yes, there are bad guys out there with a lot of skills and resources at their disposal, and you have to address that risk when planning and implementing your defense of protected health information, but it doesn’t take a nation state or cybercrime syndicate for the wrong person to get and use the right person’s credentials. That’s a function of basic controls not being calibrated to risk. Even encryption of the data is defeated if the wrong users have rights to run reports from an encrypted database to unencrypted PDF files and exfiltrate such files from the system.

Which brings us back to HIPAA audits. Eventually they’ll resume and OCR may get a budget boost to beef up the audit program, which may well focus on the realism and immediacy of risk assessments. The Anthem breach may not have leaked medical records, but it definitely shook up the numbers in several categories of risk to health data systems. The question to ask now: Has your organization adjusted its privacy and security policies and procedures accordingly?

Looking in the mirror regarding data breaches

Chris Bowen, Founder, Chief Privacy and Security Officer, ClearDATA
Healthcare providers and insurers are under increasing attack by cybercriminals. It’s time to admit that healthcare IT needs security reinforcements – and needs them quickly.

The Anthem breach reported in the media on Feb. 5 came on the heels of the Community Health breach. What’s disturbing is that these incidents both appear to be linked to sophisticated, targeted attacks by state-sponsored cybercriminals from China rather than the work of random hackers looking to cause a temporary disruption in service. They’re after data, and the way they’re going about it can take months to discover. That means that right now, at this very minute, data from another provider or insurer may be making its way out of the country, and we don’t know it.

Some report that this disturbing trend may be related to efforts by the Chinese to build a larger database of U.S. citizens for espionage purposes. Others claim that these attacks are driven by the fact that patient health information is more valuable than financial data. It may be both. What’s staggering is that the level of sophistication by the hackers, in many cases sponsored by China, Russia and other governments, continues to increase rapidly as the attacks themselves get stealthier.

Healthcare IT professionals are an essential component of healthcare delivery. They make sure that healthcare providers have the information necessary to care for patients. They are responsible for ensuring that mandated technology initiatives such as implementing electronic health records and transitioning to ICD-10 are completed successfully. That is a full-time job all by itself.

Health IT managers all over this country are at crossroads. In addition to their daily responsibilities, they must also have all the knowledge, training and experience to fend off state-sponsored cybercriminals. Even with experienced security professionals on staff, many organizations lack the tools, defensive systems, monitors, dashboards and manpower to really know what’s going on in their networks at any given moment. In many cases these really smart, hardworking professionals are outgunned.

It’s time for healthcare executives to look in the mirror and ask themselves if they and their teams can stand up to these constant threats or whether they need to call in reinforcements. One viable solution is to move their data (and the responsibility for protecting it) to the cloud. A cloud service provider, especially one with specific expertise in healthcare, will already have the expertise and redundant security systems in place to protect health data at a much higher level. They don’t have the responsibility of keeping the applications running for users, so they can focus on the data itself, making sure it is available to authorized users and protected from state-sponsored cybercriminals and others who want to steal it.

It’s also time for the U.S. government to take cybersecurity up a few notches and help private industry defend itself against state-sponsored attacks. It is difficult for any private enterprise, even the largest ones, to compete with the resources of a government-sponsored entity. By getting involved more directly, the U.S. government can take some of the pressure off healthcare organizations and help tip the balance back in our favor.

It’s time to hunker down, get to know your weaknesses and rapidly remediate.

Where do we go from here?

Rob Sadowski, Director, Technology Solutions, RSA
Custodians of healthcare data are under attack, and any organization that captures, stores or processes this critical, sensitive data faces increased risk.
How did we get here? Cyber crime requires both motive and opportunity. The motive in this case is fraud – illegitimate use of patient data can be used to fraudulently obtain care, goods or services, can facilitate identity theft and can be an invaluable ingredient for “social engineering” – convincing ruses that manipulate a victim into circumventing security controls. The opportunity should be readily apparent as there is more digital data (personal and medical) being created, stored and shared across the entire patient care ecosystem and lifecycle than ever before as the drive to streamline care and reimbursement moves online. The opportunity is increased by the healthcare sector’s lagging investment in sophisticated information security technologies used by other industries like financial services and retailers, who have found themselves under a steady barrage of attacks recently from determined cyber criminals.

So where do we go from here? History indicates that cyber criminals will continue to target vulnerable organizations until they encounter resistance. Custodians of healthcare data need to bolster their cyber defenses to deter and defend against these attacks effectively. The first step is to recognize that many old information security practices and doctrines aren’t nearly as effective as they used to be. The goal of an impenetrable perimeter locked down by tools that rely on simple static rules and signatures of past attacks is unachievable in today’s environment where so much of our valuable patient data is digital and flows freely across our systems and networks.

Instead, healthcare organizations need to adopt a more intelligence-driven security strategy. They need better visibility to gain a comprehensive picture of user behavior and the flow of sensitive data across their environment. They need smart analytics to spot the signals in the noise of user and network activity that indicate attacks. And they need a robust incident response capability to quickly deal with the inevitable attacks that are found before they  can turn into a full-blown breach. Advanced, agile technologies for identity management, network monitoring, and effective information governance and risk management all contribute to such a strategy and work in concert to protect the organization’s most critical information assets. Such a strategy empowers organizations to effectively address the challenges they can see today and those still beyond the horizon.

Mitigating the impacts

Philip Casesa, Director of IT/Service Operations, (ISC)2
The impact of an identity breach is potentially more dangerous and harmful than that of a credit card breach. Credit card breaches are quickly mitigated by issuing a new card and account number – a routine process for card-issuing banks. Even with massive credit card breaches, actual credit card fraud is low because banks are so adept at responding. Identity attacks, such as the one on Anthem, will likely have a longer-lasting and more devastating impact. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allows attackers to sell this information to other criminal operations. Other potential issues with identity breaches involve the ability of the hackers to commit massive fraud themselves by creating accounts with credit card companies or other financial institutions, causing the victim to cope with the fallout from such a violation for an extended period of time.

While Anthem will likely offer some protection services to their customers, potential victims shouldn’t wait. They may want to go ahead and activate credit freeze alerts, credit monitoring and gather supporting financial and personal documentation for future issues. These items are key for potential victims to protect themselves from a potential identity theft situation.

With Anthem being a massive health insurer, the risks to individuals affected can expand beyond the typical credit and financial impacts. If medical IDs were taken, medical identity theft becomes a real possibility. Medical identity theft could mean that someone impersonating a patient could file claims, receive prescriptions and rack up medical bills under his or her medical file. This misinformation, mixed with his or her accurate medical record, has the potential to corrupt a patient’s entire health history with erroneous information to complicate future medical treatment. While tools and protections exist for identity and credit theft, very little exists in the way of medical identity theft protection. Additionally, medical identity theft can go relatively undetected for years – a fraudulent prescription here, a doctor visit and diagnosis there, and a patient’s medical history is corrupted.

Combatting medical identity theft will require vigilance. Individuals need to be watchful for Explanation of Benefits (EOB) sent to them in the mail, ensuring that it reflects accurate health claim activity. They should also be on the lookout for unexplained medical bills or collection warnings from healthcare providers. Keep correspondence from healthcare providers. Health records can be cleaned up, but it is a slow and painful process of contacting doctors, requesting medical records and continuous follow up to fix. Heading off issues as soon as possible when these warning signs appear is the best way for a patient to protect themselves and minimize potential damage.

Recently, some articles have focused on the effectiveness of cybersecurity frameworks such as the Health Information Trust Alliance (HITRUST) and the National Institute of Standards and Technology (NIST) in regard to real-world effectiveness to prevent breaches such as Anthem’s. Frameworks are just a series of best practice guidelines for industries to apply. HITRUST takes NIST and applies it specifically to the needs of the healthcare sector.  As security professionals, we should applaud this type of proactive industry approach. It does raise the bar for the expected standard of due care for participating organizations. The problem is that even best practices are no guarantee of protection from a breach – they just reduce the likelihood. The complexities of information systems and the sophistication of attackers make any assurance of complete safety due to implementation of any particular security framework to be a foolish brag. One positive from this story is that Anthem discovered its own breach and seems to have followed appropriate incident response steps. In many cases, the companies are told about a breach by outsiders once the data is hitting the black market or already being exploited. This means that security is not a complete afterthought, and they do have the monitoring and response procedures in place to react – it just wasn’t enough to fully protect customer data in this case.

Security must become a priority

Benjamin Johnson, Chief Security Strategist, Bit9 + Carbon Black
Hospital systems and healthcare providers are becoming increasingly difficult to protect. Healthcare records command a premium price on the black market, and healthcare organizations are lagging behind with their defenses. It’s become a recipe for disaster for healthcare providers and their patients – and a lucrative proposition for hackers.

Unfortunately, as is the case in almost every industry, hackers are increasingly using sophisticated, targeted attacks that require a mature security posture – one that can prevent, detect and respond to attacks. Unfortunately, as we’ve seen with the major healthcare breaches over the past several months, these systems and processes are not in place. In fact, we’re seeing that many healthcare security systems are often past their security-patch cycle dates, which leaves them susceptible to even routine attacks. That’s not good, and it demonstrates a very immature security posture.

Another reality that’s making healthcare entities more difficult to defend is that security isn’t a first-class citizen at most organizations; it’s an afterthought. I’ve spoken to doctors and hospital administrators who say they “don’t have time to think about security” and who use extraordinarily lax passwords for convenience. With electronic records becoming the norm and those electronic records yielding a very high price on the black market (as much as $50 per record), that’s a recipe for disaster. Philosophically, many healthcare organizations just aren’t prioritizing information security, and they have an obligation to their patients to do so.

In 2014, credit card fraud was the No. 1 cyber security problem. Banks and financial institutions quickly played catch-up and are now instituting programs that constantly monitor and detect malicious activity. With an eye always on the security pulse of their organization, these banks are quickly alerted whenever something is amiss. We haven’t seen everyone come on board to that line of thinking yet, but it’s certainly happening. In healthcare, unfortunately, that line of thinking really doesn’t exist yet.

So, do the math: If you’re a hacker, a credit card will yield about $2 on the black market. A health record will yield $20 or more. Banks are becoming harder to target. Healthcare organizations are still lagging in the security game. The target is pretty clear. Healthcare is in the crosshairs.

Until healthcare organizations make security a first-class citizen, we will continue to see these headline-grabbing attacks.