On January 27th, Anthem discovered that the login information for database administrators had been compromised. The investigation is ongoing, but the data breach could affect up to 80 million Anthem customers.
Information stolen includes member names, member health ID numbers/Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information, plus some income data. The attack also affected Anthem’s subsidiary companies such as Amerigroup, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.
This attack may be the largest cyber attack in the healthcare industry. Last year’s intrusion at Community Health Systems (CHS) involved the records of 4.5 million consumers. According to statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services, there have been 740 major healthcare breaches over the last five years.
Why are Hackers Increasingly Targeting Healthcare?
Explanations for the increase in the size and magnitude of cyber attacks in the healthcare industry include the following:
1. Medical records are more valuable to cyber criminals. Experts say medical records are 10X more valuable then credit cards because they can be used for medical fraud, identity theft and false tax return filings.
2. Healthcare organizations lack the resources and systems to defend their data from attackers. Compared to financial services and energy companies, healthcare organizations are considered soft targets.
3. Chinese state sponsored cyber terrorists may behind recent security breaches. The goal of these groups is broader than financial benefit and may include stealing medical research or using the data for espionage.
Anatomy of Targeted Attacks
Hackers have hundreds of ways to create and execute data-stealing attacks. Advanced Persistent Threats are commonly classified in multiple stages or kill chains. These usually start with planning and reconnaissance include techniques like spear phishing, credential dumping, and the use of remote administration tools to move laterally through the network, and and end with data exfiltration.
Questions to Test Your Readiness to Respond to a Targeted Attack
1. Are you monitoring critical and suspicious security events on a 24×7 basis?
It may be obvious, but US business hours are the least likely time zone for Chinese hackers to work. Many organizations have invested in
advanced security products such as database firewalls or next-generation malware detection software, but unless the alerts from
these systems are monitored, correlated, investigated and quickly remediated, the risk of a data breach is much higher.
2. Have you developed advanced SIEM Use Cases to identify hacking approaches like credential dumping and lateral propagation?
If your SIEM system or service provider relies on base content and rules are not being constantly updated, the chance of identifying a targeted attack is low.
3. Are you using advanced cross-device correlation and pattern discovery techniques in conjunction with threat intelligence data to identify suspicious behavior?
Accurate prioritization of alerts helps identify real threats and minimizes time wasted chasing false positives.
4. Do high priority security alerts trigger automated responses like blocking traffic to or from an IP address?
24×7 active defense can block known abusive attackers and off-load operations teams to focus on critical issues.
5. Are you retaining your security logs for 12 months?
Effective forensic analysis often requires more than 90 days of log data.
Proficio provides advanced cloud-based cyber security services and data breach prevention solutions to many healthcare organizations.