Cyber security: Attack of the Health Hackers Targeting Medical Records
Breach of Anthem database, probably from China, is part of a 2015 wave of 100m hacked medical records. Eight out of ten of the biggest hacks in the US last year were of healthcare providers caused by failed healthcare security.
Last January an administrator at health insurer Anthem noticed an unusually complex query running on the computer network.
It looked like a colleague was responsible, but a quick check revealed that it was coming from somewhere else. Minutes later, Anthem was in crisis mode. Investigators believe the hackers were from China and had been operating undetected inside the company’s network for months. They gained access by tricking the employee to click on a phishing email that was disguised to look like an internal message.
Using the administrator’s credentials, hackers combed through Anthem’s database containing names, social security numbers and birth dates of over 78m people who have been enrolled in its insurance plans since 2004. Anthem’s breach sent a wave of panic through the healthcare industry. It exposed clients’ most sensitive and valuable personal information, and revealed just how unprepared the health industry was to threats from increasingly sophisticated cyber criminals — and from nation states. Hackers accessed over 100m health records — 100 times more than ever before — last year.
Eight of the 10 largest hacks into any type of healthcare provider happened this year, according to the US Department of Health and Human Services.
Insurers scrambled to hire cyber security companies to scrub their systems. Premera Blue Cross, CareFirst BlueCross BlueShield, and Excellus Health Plan announced breaches affecting at least 22m individuals in total since March, including hacks that stretched back more than a year. Investigators told the FT that they believe some of the hacks are related and trace back to China. The insurers face multiple investigations from state insurance regulators and attorneys-general and some could face fines for failing to comply with state data privacy laws, while federal law enforcement agencies are investigating who is behind the hacks.
“For a lot of them it is often less of a priority than it should be. Because their focus is often on many other things it creates a vulnerability that I think a lot of hackers have figured out,” said Deven McGraw, deputy director for health information privacy at the HHS’s Office of Civil Rights. “We’re seeing some pretty consistent areas of non-compliance across the board.”
The HHS is investigating the breaches and declined to comment on them specifically. Healthcare companies are required by privacy laws in numerous countries, including the US and UK, to protect personal data. Yet they have been inconsistent in maintaining basic security, say regulators.
In the UK, there have been no reported hacks at the National Health Service, but it has been fined £1.3m by the Information Commissioner’s Office, which conducts audits on behalf of the government over data privacy. The fines are mostly for sloppiness: lost laptops, files left at a grocery shop and records abandoned at a bus stop.
“The Health Service holds some of the most sensitive personal information available, but instead of leading the way in how it looks after that information, the NHS is one of the worst performers. This is a major cause for concern,” Christopher Graham, the Information Commissioner, said this year. ICO was granted new authority this year to conduct compulsory audits of NHS systems. “Protecting the security of data across government and especially within the health system is a top priority,” an NHS spokesman said.
As in the UK, US healthcare providers see a majority of its data breaches falling into the categories of lost laptops or improper access to systems by insiders. Yet as more information is maintained in electronic form — an idea pushed heavily by the US government to make health records more portable — cyber intrusions have grown.
At some hospitals, the doctors who are often part of management have long resisted electronic measures that they thought could slow down or interfere with patient care. HHS’s Ms McGrath said this is a common excuse, but she said it is far more troubling that many companies don’t encrypt their data. The problem has been exacerbated by the hundreds of hospital mergers that have occurred over the past few years, often resulting in multiple IT systems in one hospital group. Cyber security is often overlooked as a priority.
“It’s a very fragmented industry so there aren’t as many major players who drive the entire sector the way you’ve seen when it comes to financial services and cyber security,” said Bryan Palma, senior vice-president of Cisco’s Advanced Services in cyber security. “That is not happening in healthcare.”
With healthcare profit margins under pressure, only about 3 per cent of the IT budget is earmarked for cyber security, according to experts. Too many aspects of patient care are shared on a single hospital network. That means hackers in search of patient data could also disrupt life-saving equipment such as respirators running on the same network.
A new threat emerges
The threat changed this year with the emergence of hacks that investigators say are connected to China.
“We know of multiple threat groups operating out of China that have engaged in attacks in the healthcare industry,” said Charles Carmakal, an investigator with Mandiant, a cyber security company. Mandiant was hired by Anthem, Premera and others. “While we believe we know from an organisational perspective who they are, we can’t tell who tasked them to do it. The big question is: are they hackers for hire and were they asked by the Chinese government to do this?” said Mr. Carmakal.
The Chinese government has denied it was involved in the hacks. American investigators believe hackers in China targeted insurers in the US, including Anthem, to learn how medical coverage and insurer databases are set up, people familiar with the cases said. The records are also valuable for intelligence purposes. Addressing healthcare challenges has been a top priority of the Chinese government, which is facing an ageing and affluent population that is demanding better care.
Individuals hit in cyberbreaches at four US healthcare insurers
“China is very interested in anything that will help them with the illnesses they are dealing with and changes in their population,” said Dmitri Alperovitch, co-founder of CrowdStrike, who declined to talk specifically about the Anthem breach. “For example, diabetes is a big problem in China so they have targeted companies in that space.”
China has promised to provide universal access to healthcare to all its citizens by 2020. Currently, China’s spending on healthcare per capita still lags far behind that of developed countries, and the healthcare system is riddled with corruption and kickbacks.
The industry is also an attractive target for criminals who sell personal health data on the black market. Medical records are much more valuable than credit card numbers because it often takes longer to detect so the data have a longer shelf life. Data such as social security numbers can be used in a range of schemes from tax refund fraud, insurance fraud or Medicare fraud. A credit card record can be bought for about $1 on the black market, but “one person’s complete [medical] record I’ve seen anywhere between $200 and $2,000,” said Carl Leonard, an analyst for Raytheon Websense, a security company.
The market is flooded with stolen credit card details, he said, so “healthcare records attract the premium now”.
Technological advances, rising global tensions and human failings are making it ever more vital to improve cyber security.
Investigators do not believe information from the Anthem breach has been sold on black markets. However, other hackers have targeted victims of the Anthem attack with fake emails that appear to be from Anthem or offer credit protection. Those emails aim to steal data that could be sold to criminals, people familiar with the case say. Anthem plans to spend $130m over two years to better protect its networks from breaches. The company has assured regulators that it has strengthened its system, taking steps such as changing administrator passwords every 10 hours and hiring 55 cyber security experts.
Bad ‘cyber hygiene’…
Read the FULL STORY…
OnPage is The World’s Most Advanced Enterprise Priority Messaging Solution.
CONTACT Sales: [email protected]
Call: 781-916-0040 – Ext. 110
[Follow OnPage on Twitter]