Background
In a recent update, healthcare insurance provider Premera Blue Cross announced that they had been the victims of a cyberattack which had compromised 11 million customer records including credit card numbers, social security numbers and possibly information pertaining to medical records. The implications of such an attack are obviously far-reaching and, above all, can diminish the confidence customers have in their service providers to protect their personal information and identity. Whilst Premera have taken several steps in assessing and rectifying the issue, including the employment of a leading cybersecurity firm to conduct the investigation, questions may still remain as to how an organisation declared compliant with the Health Insurance Portability and Accountability Act (HIPAA) in 2014, have managed to find themselves the victims of such a catastrophic data hack. Did the company lack the necessary security features required to identify the kind of attack used to compromise their systems? If so, how did compliance regulators manage to miss this issue?
Were issues identified last year the cause of the breach?
A Final Audit Report, prepared by the U.S Office of Personnel Management and dated 28th November 2014, found that:
- Premera employees were not keeping up to date with security patches for their software, leaving computers vulnerable to attack.
- Sysadmins hadn’t agreed on a “baseline” set of configuration settings to ensure all their systems were secure to the same standard, or better.
Despite these flaws, Premera was nevertheless declared compliant with the Health Insurance Portability and Accountability Act (HIPAA) at the end of last year. Were these identified issues the cause of the breach? Considering the suspected tactic used to infiltrate Premera’s systems, widely believed to be a phishing attack, it may not be the case that these flaws were directly responsible. However, a lack of resilience on the part of Premera employees could indeed be a significant part of the problem. Successful phishing attacks usually require two key things: firstly, human error on the part of someone within the organisation (for example, as a result of an employee responding to a phishing attempt via email) and secondly, the lack of a security system that is capable of quickly identifying the malware that is usually installed on a victim’s device as a result of the initial human error. Most phishing attacks usually result in a Trojan being installed on the victim’s machine which then “dials out” to receive instructions from a command and control server on what to do next. There are a combination of security analytic technologies that could help Premera, as well as many other organisations, to quickly identify this kind of malware as soon as it enters their environment. At Red Scan we use a range threat detection techniques, including: log management, SIEM, IDS, vulnerability scanning, Global Threat Intelligence, local honeypots, sandboxing and behaviour analysis. Utilising this kind of technology provides the capability for quick remediation of issues as well as identification of information assets that have been compromised. Given that it took Premera more than 6 months to identify their breach, it would seem evident that the company lacked the security technology required to minimise the impact of a cyberattack of this nature. What this says about HIPAA compliance criteria is certainly one for debate!
What other measures could Premera take to protect against phishing?
Phishing attempts will no doubt continue to be successful in the future, however, there are steps that organisations can take to safeguard their data. User training helps employees to be vigilant about suspicious looking emails and attachments and is one method of lowering the risk. This is not, however, a reliable method of prevention. An incident response plan is essential to ensure the quick remediation of issues as well as identification of information assets that have been compromised. Finally, reducing the attack surface available for a breach is of critical importance. By carrying out regular assessments, tests and updates to harden the network, it’s possible to limit the access an attacker has to information once they have breached the perimeter of a network.