The Anthem Breach: What does it mean to Information Security in the Healthcare Industry?

By Gabriel Jimenez, Sr. Security Consultant

Over the past few years, the Healthcare industry has seen a significant increase in cyber-attacks. According to leading security experts; we have only seen the tip of the iceberg in attacks directed to Healthcare organizations. With malicious cyber-attacks becoming more sophisticated, organizations and their employees need to be trained and well informed on how to protect their data. The recent cyberattack on Anthem has again put the spotlight on the importance of Information Security in Healthcare.

Most organizations believe that because they passed an audit or two that they are protected, however that is far from true. As it relates to Information Security, the regulatory requirements in Healthcare are essentially the minimum requirements that need to be met to pass an audit. The flaw in this way of thinking is the misunderstanding that Information Security is static in nature when in fact, it is very dynamic. Policies, Standards, Processes, and Guidelines need to constantly be reviewed and updated to accommodate the change in business, laws, and technology.

Another misconception is that companies feel protected because they have security controls in place such as AntiVirus(AV), Firewalls, Intrusion Detection / Intrusion Prevention Systems (IDS/IPS), Web Content Filtering, etc. The reality is that although these types of technologies may exist in within their infrastructure, most companies do not have experienced personnel on staff to build the proper alert patterns to detect an attack.

A recent presentation from Mac McMillian, the Chair of the Healthcare Information
and Management Systems Society (HIMSS) Privacy and Steering Committee shows some staggering statistics and facts on Information Security in Healthcare:

• Healthcare directed attacks have increased more than 20% a year for the last three years running
• It is estimated that more than half of all security incidents involve internal staff
• 20-40% of recipients in phishing exercises fall for scam
• Malware analyzed was found undetectable by nearly 50% of all antivirus engines tested
• EOL systems still prevalent in healthcare networks

This is especially important as Microsoft no longer provides security patches for WN XP, WN 2003 and WN 2000, NT, etc.
Although it is never good to see an organization go through this type of incident, it does allow organizations to once again revalidate their security posture and look at controls that can be reconfigured or implemented to meet the increased demands or protecting their data. Controls that organizations may want to focus their attention on are as follows:
Introduce or mature both the following processes

  • Risk Management
  • Change Management
  • Incident Response
  • Increase the frequency of Vulnerability Scans and Penetration Testing.
  • Review configurations of all network and security devices.
  • This should include analyzing logging, enabled/disabled alerts, devices Access Control Lists (ACL’s) placement on the network, etc.
  • Deploy a Data Loss Prevention (DLP) solution

The mentality can no longer be viewed as Information Security is something that is nice to have, it will need to be viewed as something that is mandatory. In light of the Anthem breach it will be interesting to see how the attackers were able to compromise their systems. Hopefully this breach will allow other Healthcare organizations to become more proactive in maturing their security programs and apply the lessons that are learned from Anthem.