Last week, CareFirst BlueCross BlueShield (CareFirst) reported a data breach that was initially discovered last year. When the incident was first noticed, the company assumed they had taken care of the problem - only to learn that wasn't the case ten months later.
The healthcare sector has taken center stage in the recent months as criminals shift from retail and finance towards easier targets. Unfortunately, most healthcare organizations are operating under a number of flawed assumptions concerning security and it's starting to cause serious problems.
Premera Blue Cross and Anthem were both targeted by attackers using similar methods and tactics (Phishing / typo squatting), but in each case the attackers were detected, enabling both firms to activate incident response and deal with the fallout of having tens of millions of records exposed.
However, during the CareFirst incident, while the attackers were detected, the company assumed their actions were enough to contain the threat and did nothing further.
That's the key difference. Premera and Anthem didn't make assumptions after detection, unless you count assuming the worst and kicking off incident response immediately. Yet, they did assume the level of security on their network was sufficiently able to protect data from a variety of attackers. Moreover, each firm took months to detect the intrusions, which is a problem shared by organizations the world over.
CareFirst made security-related assumptions of their own and followed them with an assumption that the detected attack was the only thing wrong on the network. In each of the three cases, the assumptions were wrong and tens of millions of records were exposed because of it.
In a statement, CareFirst said at the time it was believed they "had contained the attack and prevented any actual access to member information."
It wasn't until the company performed a security audit several months later in the wake of the Anthem and Premera breaches that the full scope of the attack was discovered by Mandiant.
"I think that we can generally observe that Anthem, Premera, CareFirst (and presumably many other healthcare enterprises) have made some assumptions about the level of security investment and capability that they need to adequately deal with the risk to their critical assets and patient data," commented Eric Cowperthwaite, the VP of advanced security and strategy for Core Security.
Cowperthwaite, the former CISO of Providence Health, is familiar with the security struggles the healthcare industry faces on a daily basis, plus the fact the threat landscape itself has changed dramatically over the last few years.
CareFirst isn't the only company making serious assumption-based miscalculations, but this incident offers a clear lesson – at least on a strategic level - to other healthcare organizations; they need to review their security posture and address the types of assumptions being made before it is too late.
"At a tactical level, [Anthem, Premera, and CareFirst], appear to have made assumptions about the adversaries and their capability that is not in line with reality. In general, most people have a very difficult time adjusting their perception of reality to a changed reality. We are beginning to see healthcare getting a wake-up call. It will be interesting to see how long it takes them to adjust to their new reality."
According to reports from BitSight, healthcare has lagged behind on security when compared to other industries (including retail) due to the volume of security incidents and slow response times.
"Health care companies have often been more willing to accept those risks because of a mistaken belief that 'the hackers are after credit card numbers, not electronic health records," commented John Pescatore, director of emerging trends at SANS Institute, during an interview earlier this month with CSO Online.
The reality is the exact opposite.
Healthcare data is extremely valuable to criminals, as it can be re-packaged and sold for a number of different criminal campaigns.
According to a recent Ponemon study, the value of medical records is why criminal attacks have grown 125 percent over the last two years, surpassing accidents as the top source for breaches in healthcare.
It's true, assumptions hurt CareFirst. But the larger picture is that assumptions hurt everyone in the healthcare sector too, because the days of saying there's nothing on the network of interest to criminals, or a single logged event is the total scope of a given incident is long gone.
Edit Note: Added a clarification to paragraph five, noting that both Premera and Anthem took months to detect their respective incidents. This is a core problem in all industries, not just healthcare. Millions of dollars are spent each year on breach detection and mitigation, but far too often the detection part happens long after the actual event, which is too little too late for most firms.