There were 503 healthcare data breaches reported in 2018, with over 15 million healthcare records exposed. This is almost triple the number of compromised records from 2017 and equates to more than 1 breach a day. Unfortunately, experts expect this pattern to continue throughout this year.
In October of last year, Anthem agreed to pay the largest HIPAA violation fines to date of almost $16 million from HHS’ Office for Civil Rights, following their 2015 data breach affecting almost 79 million people. These fines come on top of the $2.5 million for expert consultants following the breach, $115 million for the implementation of security improvements and technologies, $31 million for initial notifications to affected individuals, and $112 million to provide credit protection to those impacted.
It is impossible to read those numbers and not feel a little sick to your stomach, and even more so once you learn the breach began with a user within one of Anthem’s subsidiaries opening a phishing e-mail with malicious content.
That one phishing e-mail sparked the download of malware to the user’s computer and allowed the criminals to gain remote access to other systems within the Anthem environment. Once inside the network, the attackers moved laterally across systems and escalated privileges. It was noted in the recent report from the OCR investigation that the attackers utilized at least 50 accounts and compromised at least 90 systems, including the enterprise data warehouse that housed user records containing names, birthdates, SSNs, addresses, and other member information.
Could this breach have been prevented? If we re-trace the attackers’ movements, there are several moments along the way that could have potentially stopped the breach or at least have triggered an alert of compromise. Below are the lessons learned and best practices that should be implemented at all organizations:
1) Know Where Your Data Is
If you don’t know where sensitive data is, where it rests, how it moves throughout systems within your network, where it goes, etc., it is impossible to protect. Verify that you have a current inventory of all systems and up to date data flow diagrams to document where critical data is at all times, and make sure that there are policies in place requiring that these are maintained.
2) Continue to Push Awareness and Training
Humans continue to be the weakest link. The Anthem breach, as well as recent breaches at Premera Blue Cross and Beacon Health Systems, were caused by phishing attacks that compromised staff access credentials. Mandatory awareness training and phishing education for these employees may have prevented these compromises. It is important to provide employees with the tools to recognize potential phishing messages and respond accordingly.
3) Monitor Your Systems
Any organization with sensitive information, whether it be payment card data, personal health information (PHI), or personally identifiable information (PII), needs to continuously monitor their systems and use tools to generate alerts of any suspicious or abnormal behavior that may indicate a system intrusion. Even with increased training, employees may still fall victim to a well-written phishing message with malicious software. Log monitoring and file integrity monitoring will keep track of who is accessing protected information and if they are making changes. In 2018, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered. Targeted monitoring of what privileged users were doing within Anthem’s systems, may have detected the suspicious behavior before critical systems were compromised.
4) Update Anti-Virus and Anti-Malware Software.
If employees do fall for phishing email scams that contain malware or malicious links, it is important that all anti-virus solutions are up to date and that web filters have been updated to block any untrusted or new links embedded within e-mails.
5) Implement Multi-Factor Authentication
Multi-factor authentication plays a critical role in preventing breaches, as it makes it much more difficult to gain access to an authorized user’s account or use stolen credentials to access other systems.
6) Limit Data and Access
Organizations should always limit the amount of information they collect to only that which is necessary. And only those staff that have a business need to know should be able to access the data.
7) Incident Management
Organizations need to be ready when a breach occurs. Verify you have a comprehensive incident response plan. Ensure all response team members understand their roles and conduct a tabletop exercise/test to identify any potential gaps or failures. Without a clearly defined plan, the world will be watching as employees scramble to respond. A well-executed incident response plan can significantly reduce the impact of the breach, which will, in turn, reduce potential fines and decrease reputational damage. Timely disclosure of data breaches is also important and in the best interest of both the organization that suffered breach and the individuals whose data has been compromised.
Attacks targeting healthcare organizations are only going to continue to rise. With the majority of breaches stemming from hacking, phishing, or IT incidents, this is an opportunity for the healthcare to do better and should motivate all organizations to conduct an enterprise-wide risk assessment and put minimum access controls in place as soon as possible.
Some additional guidance from the CampusGuard Security Advisor team below:
[Hopkins]: Hospitals and medical care facilities have become a favorite target of cybercriminals in an attempt to extort money through the use of ransomware. Ransomware is malicious software, usually introduced to the hospital’s computer systems through phishing attacks. The software can encrypt the hospital’s data records and deny the hospital their use. The attacker then demands a ransom payment from the hospital to decrypt the records. While not incurring a breach of data, these attacks may result in an inability to access medical records and communications, effectively paralyzing the provision of healthcare services.
It is import to emphasize training and awareness to prevent ransomware phishing attacks. Additionally, reassess your data backup systems to ensure the availability of timely and complete data backups in the event of an attack. While prevention is always the best approach to dealing with ransomware, make sure you have an incident plan in place that can work to restore the facility to full operational status as soon as possible.