Banner Health Breach

Following the news about banner health breach, IT security experts from Balabit, InfoArmor and VASCO Data Security commented below.

Csaba Krasznay, PhD, Product Manager at Balabit:

Although worldwide data protection laws emphasize the highest levels of care for healthcare data, hospitals usually don’t have sufficient money and expertise to get their IT infrastructure’s security aligned with real threats. This year alone, many healthcare institutes around the world have suffered ransomware campaigns, resulting in serious outages in service. The US and Canadian governments even issued a joint alert. (http://www.reuters.com/article/us-cyber-ransomware-alert-idUSKCN0WY3BN). But this is just the surface of the problem. Patient data has real value on the black market, and hospitals are in the hackers’ cross hairs. Every healthcare institution must realize that their patients’ data is their most valuable data, and serious protection means, at the least, the introduction of the same security measures now protecting other sectors, with special attention to internal users whose stolen credentials are usually used in cyber attacks. From an IT security perspective, healthcare is one of the most interesting sectors, because so much sensitive personal data – such as previous diseases, drug usage habits, etc. – resides in digital format – often without proper security measures.

Andrew Komarov, Chief Intelligence Officer at InfoArmor:
According to our information, the incident may be related to the same group that previously attacked several US-based healthcare institutions (in March/April 2016). As of today, the stolen data is not available for sale in the underground (4th August 2016).

Michael Magrath, Director of Business Development at VASCO:

NOTE: Magrath is serving as Chair of the Healthcare Information Management & Systems Society (HIMSS) Identity Management Task Force Sadly, this is not the first time that Banner Health’s members have had data exposed.  In February 2014, Banner Health accidentally exposed personal information on more than 50,000 people when their Medicare and Social Security numbers showed up on magazine address labels. http://www.networkworld.com/article/2452719/security0/the-worst-security-snafus-this-year-so-far.html

This time, external actors have put members at risk, leading members to no longer trust Banner Health with their sensitive data.  The cyber attack on Banner Health is another in a long list of targeted attacks against the healthcare industry.

Victims of the Banner Health cyber attack may have had their names, birth dates, Social Security numbers, addresses, and insurance information including claims information exposed.  This is very sensitive information and like most attacks, victims will receive a letter of apology and likely free credit monitoring for a set duration. The reality is compromised data may sit for years until sold or used by hackers.  Despite receiving a preliminary notification, the victims will probably ultimately be unaware of the extent to which they have fallen victim to identity theft or medical identity theft.

Hackers have migrated from banks to healthcare due to the rich and profitable content housed in databases.  Banks are certainly still targeted, but hackers realize that the financial sector has hardened their networks and applications (including mobile apps) and that it is easier to gain entry to an under-protected system or application.

Banks spend between 10-12% of their IT budget on security,  http://www.crainscleveland.com/article/20150328/SUB1/303299987/firms-cant-afford-to-fail-at-cybersecurity while respondents to Modern Healthcare’s 26th annual Survey of Executive Opinions on Key Information Technology Issues reported that the median spending range for security (as a percentage of their organizations’ overall IT budget) is 3.1% to 4% this year. SANS.org’s recent study increased that range to 5-7%. https://www.sans.org/reading-room/whitepapers/leadership/security-spending-trends-36697

Healthcare organizations must get serious about IT security. CEO’s need to be held accountable for this never-ending stream of breaches.  3-7% of an IT budget allocated to security just doesn’t cut it anymore and organizations must step up.