Brian Jackson - Fotolia
A health insurance company in the US has begun notifying 3.7 million people that their personal details may have been exposed in a data breach – seven weeks after the intrusion took place.
According to the company – Banner Health, based in Phoenix, Arizona – it became aware on 7 July 2016 that cyber attackers had accessed computer systems that process payment card data at some of its food and beverage outlets.
Six days later, it discovered that cyber attackers may have also gained access to information stored on some of its computer servers.
“We immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers, and contacted law enforcement,” the company said. “The investigation revealed that the attack was initiated on 17 June 2016.”
In other words the breaches had taken place three weeks (and in the case of the Banner Health servers, nearly four weeks) before the company realised any intrusion had occurred.
Security experts have increasingly emphasised the need to reduce what is commonly called ‘dwell time’, during which attackers can explore networks and steal data before they are detected and their malicious activities blocked.
Delays in detection also mean that attackers may be able to use the data to commit fraud and other crimes before those affected by the breach are notified and able to take precautionary measures.
Banner Health has begun sending out letters to all patients, members of its healthcare plan, beneficiaries of its employment benefits plan and customers of its food outlets. It is doing so in accordance with US mandatory breach notification requirements soon to be introduced to Europe through new data protection and network information security legislation.
However, the notification process began seven weeks after the data is believed to have been compromised, and the company expects the notification process to last until 9 September. Some of those affected will therefore be notified up to 12 weeks after the breach occurred.
What's been exposed?
According to Banner Health, the information exposed may include patients’ names, birthdates, addresses, doctors’ names, dates of service, clinical information, health insurance information and any social security numbers provided to Banner Health.
For healthcare plan members and beneficiaries, the exposed data may also include claims information; for customers of the company’s food and beverage outlets, it may include payment cardholder name, card number, expiry date and internal verification code (because the data was being routed through affected payment processing systems). The incident did not affect payment cards used for payment of medical services, the company said.
Banner Health is offering a free one-year membership of a monitoring service to customers and healthcare providers affected by the breach.
“In addition to offering these free services and taking steps to block the cyber attack, we are further enhancing the security of our systems to help prevent something like this from happening again,” the company said on web pages dedicated to information on the cyber attack.
In September 2015, researchers at Raytheon Websense (now Forcepoint) revealed that healthcare organisations were 340% more likely to be hit by an IT security incident than the average across all sectors, and 200% more likely to experience data theft as cyber criminals increasingly target healthcare organisations because of the rocketing black-market value of personal medical data.
As the trend continues, security experts have urged healthcare sector companies to review and improve their cyber detection capabilities as well as to raise cyber security budgets.
“For hospitals, the crucial time between a security event and a publicly reported data breach is often considerable,” said Anthony James, vice president of products at TrapX Security.
“The goal for the breached hospital then becomes to identify the attackers and defeat their efforts before they can steal patient data,” he added.
New mindset needed
According to James, this requires a change in thinking. “Firewalls and basic defences are no longer enough. Going forward, hospitals should consider new technology and related best practices designed to rapidly discover attackers after they penetrate the network as part of their assessment process,” he said.
Joe Fantuzzi, CEO of RiskVision, said: “Business sectors, including the highly regulated healthcare industry, often lack visibility into their risk posture throughout their environment.
“Once they understand all of the potential risk factors to their compliance and security posture, organisations can then effectively determine the critical systems and regulated data that require the most attention.
“From there, they will be able to make informed decisions on how to prioritise and secure that data to prevent it from falling into the wrong hands and thus being subjected to costly compliance penalties.”
Although worldwide data protection laws emphasise the need for the highest levels of care for healthcare data, hospitals usually do not have sufficient money and expertise to align their IT infrastructure security with real threats, according to Csaba Krasznay, product manager at security firm Balabit.
“In 2016 alone, many healthcare institutes around the world have suffered ransomware campaigns, resulting in serious outages in service,” he said. “The US and Canadian governments even issued a joint alert, but this is just the surface of the problem.”
Read more about healthcare data breaches
- The NHS Dumfries and Galloway health board has adopted a proactive way to protect patient data through continual vulnerability assessment.
- HIV clinic data breach shows lessons have not been learned.
- The latest NHS data breach comes after the ICO’s repeated warnings about the risk of disclosing personal data through poor email practices.
Because patient data has real value on the black market, Krasznay said every healthcare institution must realise that its patients’ data is its most valuable data.
“Serious protection means, at the least, the introduction of the same security measures now protecting other sectors, with special attention to internal users whose stolen credentials are usually used in cyber attacks.
“From an IT security perspective, healthcare is one of the most interesting sectors, because so much sensitive personal data – such as previous diseases, drug usage habits, etc – resides in digital format, often without proper security measures,” he said.
Up the security spend
Michael Magrath, director of business development at Vasco Data Security and chair of the identity management task force of the US Healthcare Information Management & Systems Society (HIMSS), said the Banner Health breach highlights the need for greater investment in cyber security by the healthcare sector.
Hackers have migrated from banks to healthcare because of the rich and profitable content housed in healthcare databases. While banks are certainly still targeted, Magrath said hackers realise that financial sector businesses have hardened their networks and applications and that it is easier to gain entry to an underprotected system or application.
According to Magrath, banks spend between 10% and 12% of their IT budget on security. Modern Healthcare's 26th annual Survey of executive opinions on key information technology issues revealed that the median spending range of respondents for security as a percentage of their organisations’ overall IT budget is just 3.1% to 4% this year.
“Sans.org’s recent study increased that range to 5% to 7%, but healthcare organisations must get serious about IT security. CEOs need to be held accountable for this never-ending stream of breaches. Just 3%-7% of an IT budget allocated to security doesn’t cut it any more and organisations must step up,” Magrath said.
Andrew Komarov, chief intelligence officer at security firm InfoArmor, said that intelligence suggests that Banner Health was breached by the same group that attacked several US-based healthcare institutions in March and April 2016.