BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Key Takeaways From the Premera Data Breach

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 23 Mar 2015 19:06:05 -0600
http://healthitsecurity.com/2015/03/23/key-takeaways-from-the-premera-data-breach/

Last week, the Premera data breach announcement further pushed the data
security of healthcare organizations into the limelight. The health insurer
stated that approximately 11 million members’ sensitive information,
including PHI, was potentially exposed after a “sophisticated cyber attack”
infiltrated its system.

Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the
health insurer’s affiliate brands Vivacity and Connexion Insurance
Solutions, Inc. are all potentially affected, with applicants’ and members’
names, dates of birth, email addresses, addresses, telephone numbers,
Social Security numbers put at risk. Moreover, member identification
numbers, bank account information, and claims information, including
clinical information, were all potentially exposed.

Incidents like this are likely to cause healthcare leaders to review their
incident response procedures, according to Dan Bowden, Chief Information
Security Officer for the University of Utah, University of Utah Health
System. Many organizations are already working on their malware defense
capabilities, Bowden said, but the two large scale breaches over the last
couple of months further underline the importance of incident response.

“There is no absolute to tell your consumers that there is no possible way
their data will not get breached,” Bowden said. “We have people come to
work every day trying to do the right thing and people make mistakes.”

For example, an employee could open an email that lets malware into the
healthcare’s system.

“As long as we have people working with the data, even if they’re trying to
do the right things, they can be victimized by a good attacker,” Bowden
explained.

However, incidents like the Premera data breach and the Anthem data breach
that was announced in early February, have brought other important issues
to the forefront, Bowden said. Health dataencryption is an increasingly
popular topic, as many have criticized Anthem for allegedly not having its
data encrypted. But each incident seemed to involve a serious malware
attack, according to Bowden.

Health data encryption is an “addressable” aspect of HIPAA, rather than a
“required” one. This can make it difficult to compare one organization to
the next, Bowden said, as different facilities will need different types of
privacy and security measures. And even if a covered entity has data
encryption methods in place, if an employee is using a laptop on the
organization’s system, a third-party who can gain access could still get to
the data.

“Malware lets someone get escalated privileges, and in some way,
circumvents the encryption,” Bowden said, adding that there is still some
“dust to settle” in the Anthem and Premera cases.

Until more information is released, it will be difficult to determine
exactly what went wrong and how other healthcare organizations could
potentially learn from those actions and prevent their systems from being
breached.

Malware has become an increasingly large issue, Bowden explained. Even
three to five years ago, the healthcare industry’s top issue was lost
laptops, he said, which was also part of the large push for data
encryption. Now, with two large scale data breaches involving malware,
Bowden said that there might be new priorities ahead for the healthcare
sector.

“A lot of consumers are cynical about any organization’s ability to protect
their data absolutely,” Bowden said. “I’m not sure if trying to do an
absolute of convincing customers is possible, but we need to do everything
to show we have their best interests in mind and are doing our best to
assess the risk and put reasonable controls in place to protect their data.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: