Reasons Why Healthcare Won't Get Well Soon
With the recent breach of Anthem, the focus on information security, particularly for the healthcare sector is higher than ever. SecureState has worked with a variety of healthcare companies, including hospitals and insurance providers, and we can answer some important questions on healthcare information security that have arisen as people learn more about this incident.
How Good Is Healthcare Information Security?
While Anthem has yet to discuss the specific details of the attack, SecureState has worked with many healthcare companies in the past, and we have identified some common areas where security needs to be improved. Many companies are already working on these areas, but as an industry, healthcare is falling behind many others. Some of the biggest problems we have seen in the healthcare industry are the various domains where information security controls are lacking. It should be noted that while we have seen some problems in this area, we have seen a continuous effort from many companies to improve their overall controls. An information security control is any action taken by a company to proactively assess, manage, and mitigate IS risks to the company. When we work with companies to assess their levels of risk, we examine these controls in place through fifteen different domains across a company and define the maturity of processes in these domains based on the Carnegie Mellon Capability Maturity Model Integration (CMMI). Some examples of the domains include network security (is the company’s network built and maintained in a secure manner) and personnel security (are the company’s employees trained to spot potential security problems and stop/report them?). We look at the risks each company is facing, and assess the controls they have in place to manage or mitigate those risks. In our experience with healthcare, there are three general areas that we have seen persistent problems in the healthcare field.
Risk Control Issue 1: Asset and Data Classification
One of the biggest weaknesses we see is in the classification of their data and assets. Healthcare companies have vast amounts of sensitive data stored on a variety of machines, but they often aren’t aware of what data is sensitive, where it is stored, and what the levels of protection are on the data and machines. If they don’t know this vital information, how can they possibly hope to protect that information? With the variety of data that has already been disclosed as part of the breach, it’s not hard to imagine this is a problem for Anthem. While the names of customers is not a particularly sensitive piece of data, their social security numbers, addresses, and employment information could all be considered varying levels of high sensitivity. With all of this data having been compromised at once, one of two things is possible. Either all of the information was being handled with the same level of security (which was subsequently breached), or Anthem did not know what data was where, and the attackers found it. With either problem, proper asset and data classification is the first step to addressing the issue.
Risk Control Issue 2: Security Awareness
People are notoriously the weakest links in any information security system. Through accidentally opening malicious email attachments or clicking on unsafe links, people often unknowingly let attackers into their companies. New methods for these attacks are constantly being developed, and we often find that the employees of healthcare companies have not been properly trained to handle them. While healthcare professionals are often trained on a variety of standards (most commonly HIPAA), the lack of training on security awareness leaves these companies all the more susceptible to attacks. All it takes is one employee opening the wrong file, and an entire company can be breached.
Risk Control Issue 3: Incident Response
The final area we have seen some significant gaps in for healthcare companies is incident response. While many companies focus in on preventing breaches, there is often a critical lack of effort around what to do after a breach has begun. Incident response plans are built to detect attacks as soon as possible, stop the attacks in progress, and then work to recover from the attack as fast as possible, resuming normal business operations. When companies don’t have these plans in place with regular testing and refinement, they are basically ensuring that any breach will be a near catastrophic event. Anthem has, at least on the public side, done an excellent job so far with their incident response efforts, especially compared to other recent breaches such as Target and Sony. They have gone public with it within a week of the breach, involved law enforcement as soon as possible, and are being as open with their customers as they can about the incident. This allows them to bring in extra investigative efforts while also showing that they are acting to resolve this issue as soon as possible while trying to protect their customers and improve their security. Compared to the efforts of Sony, who were never very forthcoming with information about their breach, Anthem is doing an admirable job in this area, and more companies could learn from how they are handling it.
What Should My Company Do To Protect Ourselves?
If you are part of a company in the healthcare industry, you are mostly likely looking at the Anthem breach and wanting to prevent the same thing from happening to you. While nothing can protect you 100% of the time, you want to reduce the odds of such an attack occurring at your company as much as possible. Just based on the commonly observed areas of control weakness, here are some steps to get you started on this process.
1. Review your data and assets.
Begin by reviewing all of your data and assets. What is the most sensitive data you have? Where is it stored? What kind of security measures are in place around it? Getting an accurate assessment of your current classification efforts and working to improve them is the first step in securing your company.
2. Train your people on security awareness.
These kinds of incidents highlight the need for everyone at a company to be vigilant and knowledgeable about basic security efforts. Consider setting up a security awareness training session in the near future, or at the very least sending out some information on what people should be looking out for.
3. Assess your current incident response program.
Many companies already have an incident response program or plan, but often these haven’t been tested or refined, and if a breach occurs, who knows how well they will function? Incident response procedures need to be built around detecting problems as soon as possible, responding to the issues, and getting the company recovered as fast as possible. IR programs can use the NIST Cyber Security Framework as a guideline to begin development, and should be refined from there as needed.
Why Is the Healthcare Industry a Target?
When companies are breached, people often don’t even think to question why. When a store is breached, people assume the goal is to compromise credit cards, setting up for future fraud efforts. However, Anthem has made it very clear that no credit card information was stolen as a part of this breach. So it might occur to people to wonder why Anthem was even breached at all. As it turns out, the information that was stolen is much more valuable than some credit card numbers. PCI data, meaning credit card numbers, card holder names, etc., often sells on the black markets for between $1 and $5 per record, depending on the country of origin. However, healthcare information (which often includes such valuable pieces of data as a person’s SSN, personal address, etc.) was selling just this past summer for around $125 and has recently spiked as high as $250 per record. The reason for this drastically higher value should be apparent. While having the record to a single credit card might allow a criminal to commit some quick fraudulent purchases, eventually that card will be shut down, even if nothing else occurs. However, having a person’s SSN, date of birth, address, and any of the other information contained in these healthcare records could allow a criminal to commit all kinds of identity theft. Often, this is the exact kind of information needed to open new lines of credit or create forged documents such as passports, and so criminals are willing to pay a lot more for versatile information such as healthcare records.
There is still much to be talked about in relation to this breach. Anthem’s so far excellent incident response efforts should provide a positive example for companies facing this kind of issue in the future. Their quick actions and discussion of the attacks highlight how defensive kill chain thinking can help a company handle a breach quickly and effectively. As more is revealed about this attack, there should be plenty to analyze to help companies toughen their own stances and prepare for the future.