In February, as many as 80 million customers and employees of Anthem Blue Cross were affected by the largest U.S. healthcare data breach to date. If you maintain health information, even on a small scale, you’re a target for an “Anthem breach.” Here are five things you need to know.
Healthcare Data Is Much More Valuable Than You Think. Health credentials, such as Medicare numbers, can go for $10 each on the black market. That’s about 10 to 20 times the value of a U.S. credit card number. Even small healthcare organizations are enticing targets for a breach, especially ones that have less-sophisticated IT systems. Cybercriminals use stolen credentials to buy medical equipment, supplies or medications that are resold. They also combine insurance ID numbers with provider numbers, real and fake, to file insurance claims for services that were never provided. Many hospital surgical procedures garner tens of thousands of dollars in insurance payments, making a single healthcare credential a valuable asset to a fraudulent biller.
Medical Identity Theft Typically Goes Undetected for a Long Time. After cyberattackers “hit” an IT system, they often wait to see if the target company detects the intrusion. After a few months—or even years—go by, and the breach goes unreported, the fraudulent billing begins. It’s typically discovered when a patient finally gets a bill or an EOB for a coronary bypass they never underwent or a hospital bed they never purchased.
The Anthem Cyberattack Wasn’t All That Sophisticated. Despite initially being reported as a “sophisticated attack” (Anthem has since backed off from that description), this cyberattack simply targeted human vulnerabilities. Reports indicate the hackers gained access to Anthem’s system by stealing the network login credentials (usernames and passwords) of at least five employees with high-level IT access. The hackers likely got these credentials through “phishing” campaigns where they sent Anthem’s network administrators fake e-mails to get them to reveal their login information. Once the attackers had those credentials, they had access to the entire system, since Anthem had given the administrators rights to all system data. Technical measures only go so far. If an employee unsuspectingly gives up their login credentials, your technical controls are effectively useless.
Encryption Probably Wouldn’t Have Prevented the Anthem Breach. Encryption is generally the “gold standard” for protecting your electronic health information against a breach. If a hacker tries to gain access to your system through illegitimate means, or gets physical control of a storage device, encrypting the data will generally prevent the hacker from being able to read the data. But when nefarious users gain access to your system with real credentials, as it appears the attackers did in the Anthem breach, encryption won’t prevent the unauthorized user from accessing and reading the data. When users input legitimate credentials or keys, systems decrypt the data. Encrypting your data is strongly recommended and is a safe harbor to the breach notification requirement under HIPAA (if your encryption key is secure). But there is no substitute for safeguarding usernames and passwords.
Healthcare Providers Aren’t Great at Protecting Data. Last April, the FBI warned healthcare providers in a private industry notification that: “The healthcare industry is not as resilient to cyberintrusions compared to the financial and retail sectors, therefore the possibility of increased cyberintrusions is likely.”1 It’s no secret that the healthcare industry has been more lax than other sectors when it comes to protecting data, and cybercriminals are seizing the opportunity to target the industry before it catches up. Small healthcare providers often have very limited resources to put into cybersecurity.
1FBI Cyber Division. Private Industry Notification. Healthcare Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain. http://www.illuminweb.com/wp-content/uploads/ill-mo-uploads/103/2418/health-systems-cyber-intrusions.pdf.
Ryan Stark and Doug Wolfberg are attorneys with the EMS-industry law firm of Page, Wolfberg & Wirth, headquartered in Mechanicsburg, PA.
Sidebar: 3 Things You Can Do to Protect Your Data
There are many measures organizations can take to combat Anthem-type breaches. Here are just a few:
Have a qualified IT consultant conduct a penetration test of your system to find vulnerabilities in your firewalls and IT system.
Train your workforce on the most common types of attacks, including “phishing” campaigns (not opening suspicious e-mails), and to report anything suspicious immediately.
Consider cyberbreach insurance to protect your organization financially in case you are subject to a breach.