The recently announced breach of Premera, following so closely on the heels of Anthem, should set off alarm bells to other organizations in the healthcare industry, as it is an unfortunate likelihood that we will soon hear of other compromised healthcare companies. In both of these cases, the actual breach took place long before it was discovered, meaning every other healthcare company should be actively working to ensure their network is secure.
This attack on Premera’s health insurance data has been identified as the second-largest on record with about 11 million customers, employees and more affected, dating back to 2002. In February, Anthem’s system was hacked, resulting in information theft from around 80 million current and former customers.
While the Anthem breach was much larger in terms of the total number of records, the Premera Blue Cross breach is believed to include medical records along with personally identifiable information (PII), which could unlock the potential for significant medical fraud. If insurance plan information is stolen along with identity information, data thieves would have a good indicator on which identities hold a higher value, based on the value of the insurance plan. If thieves focus on the individuals with the highest plan costs, these are likely to be people who are more established in their lives, have families, higher incomes and better credit, meaning their identities are worth even more on the black market.
In addition, with the full medical records, someone who is committing ID fraud can target known issues with unscrupulous doctors and submit logical, albeit fraudulent claims. Imagine if a cancer patient’s records were stolen, for example, and the thief had enough information to pose as that individual. They could then work with a corrupt medical practice and submit reimbursement for expensive chemo therapy session claims (which are never actually provided). Since the real patient is a known cancer patient, this might not even set off any audit flags. This is just one example in which medical fraud could occur.
This breach again calls into focus the reality that data security is not limited to the processing of payments and credit cards. The same day that Premera publicly announced its breach, a relatively small dental company in Oregon announced it was also breached, and over 150,000 names and social security numbers and other PII was stolen. Compared to Anthem or Premera, this breach seems minor, but it highlights the vast sources of data hackers have to choose from. Businesses of all kinds and across all industries must act to protect sensitive information stored in their systems.
The problem is data security is boring and tedious, making it easy to become the task we push off until tomorrow, and the next day, and the next day. There needs to be a broad understanding that in order to be truly protected, enterprises must become proactive in securing network access, encrypting data and auditing security methods on a regular basis. While larger enterprises are potentially targets for highly sophisticated attacks, it is often the simple things that get missed. Being sure that every system has updated security patches, configurations are kept current, passwords are changed often and not used on two different systems and that two factor authentication is used were all possible in the cases of the breaches and are reasonable suggestions for companies of all sizes.
For larger enterprises, it means IT security professionals need to go back to basics every once in a while. Employees at large companies can easily become complacent, relying on their big IT budgets to cover their basic IT security miscues. This culture of complacency needs to be actively addressed by the IT security team, even if it means being the bad guys.
For smaller companies that don’t have the IT budget or staff, like the dental practice company, it means picking the right IT security partners. For less than the cost of one filling per month, that dental company could have used a third-party IT security firm to protect their data. A fully managed network security program will include not only remote firewall management but also systems to ensure configurations are consistently updated and security patches implemented. Further, properly configured firewalls can ensure that if malware does find its way onto a network, the data on that network cannot be transmitted to an unauthorized location.
After the fact, audits of breaches often discover a number of possible security issues and may or may not accurately identify the true source of the breach in question. However, what they do point out every time is that it only takes one mistake—one unsecure server, one password that was used on an unsecure system and exposed, one employee who mistakenly clicks on the link in the email, one firewall that wasn’t configured properly, and more—to become the next compromised company in the headlines.
by Kevin Watson, CEO, Netsurion
BIO: Kevin Watson joined Netsurion as CEO in November 2014, bringing considerable experience in data security, managed technology services and high-growth technology companies. Netsurion provides cloud-managed firewall solutions to protect the data of small and medium-sized businesses and has been a leader in the field for more than seven years. From 1998-2014, Kevin was co-founder and managing director of C/max Capital where he led the firm’s investments in About.com (taken public then sold to Primedia), Adjoined Consulting (sold to Kanbay), Verid (sold to EMC), Concordia (sold to Kadmon) and KMC Software. Kevin received a Bachelor of Science in engineering from Cornell University.
About Netsurion
Netsurion is a leading provider of cloud-managed IT security services that protect small- and medium-sized businesses’ information, payment systems and on-premise public and private Wi-Fi networks from data breaches and other risks posed by hackers. Netsurion’s patented remote installation technology and PCI compliant cloud-based solutions simplify the implementation process and ongoing support. Any sized branch or remote office, franchise or sole proprietor operation can use Netsurion without the costs of onsite support. The company serves the retail, hospitality, healthcare, legal and insurance sectors. www.netsurion.com
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.