Insurance Data Encryption Argument Settled After Major Breaches

With Premera Blue Cross now the victim of a huge cyber attack affecting 11 million individuals—following Anthem’s attack that hit about 78.8 million—the justifications for not encrypting data at rest may quickly be evaporating.

When healthcare providers and insurers assess the risks and conduct cost-benefit analyses on whether core electronic health records and insurance information systems should be encrypted, more often than not the decision has been made to not encrypt.

But, these systems are in constant use and encryption, while greatly improved in recent years, still delivers performance hits on data processing speeds. “We’re at a point where encryption arguments go away,” says Darrell Burkey, a director at IT security vendor Check Point Software.

“I would not be surprised if more hacks come—it seems to be a trend,” echoes Ken Dort, a partner in the Chicago law firm Drinker Biddle & Reath. The Anthem and Premera attacks, which follow last year’s huge hack of Community Health Systems, show that regardless of the type of industry, businesses need to seriously investigate and address the weak links in their information systems, he adds.

Also SeeWhy Do Hackers Target Health Insurers?

Yes, encryption slows data processing systems, but business must start to invest in updating their those systems to perform better with encryption employed, as the cost-benefit analysis of not encrypting now is shifting with the growing cyber threats, Dort says. The rationale for not encrypting is becoming obsolete as the technology becomes easier to use and businesses bite the bullet and improve their systems.

Further, while HIPAA doesn’t expressly mandate encryption—making it an “addressable” security solution that must be considered but enabling healthcare organizations to justify other means of protection—when federal regulators in the HHS Office for Civil Rights investigate breaches and want fixes, they regularly expect encryption to be part of the fix. “HHS is going to want to see very substantial reasons why you weren’t encrypting in the first place,” Dort cautions.

The Premera attack could be more harmful to its members than Anthem’s beach. As huge and encompassing as the data haul was at Anthem, claims, bank account numbers and clinical data—a trifecta for identity theft thieves—were not breached. Premera’s attack included these three chunks of data and just about everything else a ring of thieves would want: name, date of birth, email address, home address, telephone number, Social Security number and member identification number.

A note of caution: Whether the Premera breach was a state-sponsored theft of information for geo-political intelligence (a lot of government agencies insure through the Blues) or a crime for profit via identity theft is not yet clear. And the degree to which various pieces of data were breached, including medical records, also is not yet clear. Still, a rich treasure chest of information has been compromised.

Also unclear is whether the two hacks against the insurers are related. However, ThreatConnect, vendor of a cyber threat intelligence platform to manage threat information, is suggesting there may be a connection. “We’ve seen patterns of evidence of a Chinese threat actor that used similar techniques and capabilities against Anthem and Premera,” says Rich Barger, chief intelligence officer.

Further, while Premera has said the attack appears to have initiated on May 5, 2014, ThreatConnect believes the hack was being staged—an initial search for vulnerabilities—as early as December 2013. “There was at least interest in the Premera infrastructure in 2013,” Barger says. “Even a failed event is useful to know.” A Premera spokesperson did not quickly respond to a request for comment on whether the company had indications of snooping in late 2013.

The Targets

Insurance companies will remain big targets because the bad guys know that they have huge sources of data, says Kate Borten, president of Marblehead Group, a health information technology security consultancy. That said, encryption won’t stop a breach if a phishing attempt is successful and a thief tricks an employee into providing credentials to get into information systems, which is what caused the Anthem breach, because the credentials can decrypt any desired information that is encrypted.

Many healthcare organizations are small and don’t have enough data to be a target for cyber thieves. But too many organizations with enough data have a massive security hole that is easy to fix, Borten says. They are putting protected information on a server that has a public Internet Protocol address, or IP. That means the IP—the address of the Web server—is available on the public Internet.

That address brings a thief to the server to start looking for vulnerabilities, such as weak areas that need patches or obsolete rules on firewalls. But there is no way to get to data if the server is on a private IP and credentials are not breached.

Time to Redesign

In healthcare and other industries, information networks often are not designed with optimal security, but evolve over time, and now the priority of security among businesses also must evolve, says Burkey of Check Point Software. It is time to redesign systems to segment critical operations or data, and to add new layers of credentials to move throughout a network. Encryption has improved in its usability and the tools to implement and manage encryption also are better, he adds. “You need to assess network architecture with security in mind.”

There are all kinds of business opportunities for identity thieves, Burkey says. With medical records information available to thieves, they can blackmail wealthy or famous individuals because of information in the records that victims would not want to be made public. “It’s an easy case to make for not encrypting, until you are breached.”

The biggest security problem for healthcare organizations is that they often move slowly in making decisions, so they have a tough time keeping up with threat information and it takes a lot of time to upgrade security systems, says Cameron Camp, a researcher at ESET, a cyber security software vendor. Consequently, the tie between information systems administrators and the boardroom is becoming critical. “If IT has a problem, the boardroom has a problem immediately. And it directly affects the bottom line.”

The question remains how Anthem, Premera, Community Health Systems and other organizations victimized by cyber attacks did not know of the attacks for so long, and the answer may be a simple one, Camp says. “They have 10,000 alerts coming through a day and missed the one they really needed to see.”

For reprint and licensing requests for this article, click here.
Security risk Data security Core systems
MORE FROM DIGITAL INSURANCE