CareFirst BlueCross BlueShield’s disclosed breach makes it the third major health insurer (Anthem and Premera being the first two) to disclose such an incident. Three may not be that big of a number, but it’s starting to show a pattern: healthcare organizations are being targeted by hackers for their sensitive data. Furthermore, healthcare institutions continue to have a challenge in detecting breach within a short time-frame.
The CareFirst breach was discovered during an assessment in April, but the breach dates back to June 2014. CareFirst says they had detected the incident when it occurred and thought they had contained it. The database accessed didn’t contain social security numbers or financial information, only member subscriber information. Even though the data solely involves membership access information it can cause further damage by gathering sensitive data via phishing scams (for example). With this in mind, CareFirst is warning members of the possibility and informing customers to expect notification via postal mail only.
What lessons can the healthcare industry (and any organization that holds valuable data) take from yet another successful data breach?
For one, you can’t prevent an attack if you can’t detect it. Two, even if you can detect it, if you fail to resolve it you have an even bigger problem because you now think you’re data is safe, when really the intruders continue to have access to it. Our own research shows that 85% of companies don’t even use security event management to detect breach activity.
In CareFirst’s case, they had spotted the issue and thought they resolved it. It wasn’t until their next assessment that they realized they had been mistaken. The only way a business can stay on top of their vulnerabilities is to integrate security activity within their business structure. You don’t carry out an assessment once a year, you implement continuous monitoring and proactive measures all year round.
1.1 million current and former CareFirst members had their data compromised and although the information taken isn’t excessively sensitive, it’s enough to open the door to phishing scams. From phishing scams, access to more sensitive data is possible, even network intrusion; all it takes is one vulnerability, it’s a domino effect.
Healthcare organizations need to take additional precautions if they’re going to protect their enterprise and data. It’s not enough to meet compliance and to have periodic assessments. A holistic security plan and the manpower, with the right level expertise, are how enterprises can detect breach sooner than later and know for sure if it has been contained.
How do you plan on getting ahead of your security risks?
Photo courtesy of wavebreakmedia