Premera Cyberattack: Why It Happened and How to Protect Your Organization

Bob Swanson
Bob Swanson

In light of the Premera Blue Cross cyberattack and data breach — which, so far, is the second-biggest of its kind in industry history that exposed personal, financial and medical information of more than 11 million customers — Bob Swanson, compliance engineer at LogRhythm provides some wonderful detail and perspective regarding the news.

In the following conversation, Swanson discusses what we know about the beach so far, how organizations can strengthen their security efforts, motivations of hackers, as well as provides a vast level of insight to help navigate the situation and guidance for others hoping to avoid breach,

What do you know about the hack and what don’t you know? How similar/dissimilar is it to other major hacks?

Although Premera has said the breach was detected back on Jan. 29,2014, the first signs of the attack date back to May 5, 2014. So with the breach going undetected for over six months, the culprit(s) had ample time to navigate through Premera’s network and find exactly what they were looking for – sensitive data with value in the black market, regardless of whether there is evidence indicating it has surfaced. Given time, a proficient hacker will set false trails and distort clues of their activities to confuse investigators or IT security professionals. However, they are currently under federal investigation working with the FBI and cyber security firm, Mandiant, to better understand the nature and scope of the attack. Many additional details will come to light as the investigation continues, but it is clear that early indicators were not picked up on. Similar to other major breaches in the healthcare and other industries, as the mean-time-to-detection (MTTD) increases, this gives proficient hackers time to navigate the network, find what they are after and make it more difficult to discover the true details around the attack.

Is it related to the Anthem hack? Several Blues plans that aren’t part of Anthem still were business partners and were affected by the hack. As Premera was investigating the effect of the Anthem hack, did they discover their own hack?

With many of the facts surrounding the breach still unclear or undefined, initially it does not appear to be linked to the Anthem breach; however, consider their targets or objectives for similarities.  In healthcare, patient information containing elements of social security numbers or other protected health information (PHI) has a significant worth in various markets, both known and unknown. With this comes a demand and hackers are seeking out organizations to exploit and provide the supply. Also, as seen in both Anthem and Premera, the intrusion went on for some time without detection or actions taken to remediate compromised systems. The similarities between the attacks can be seen at a higher-level where the industry as a whole finds challenges in gaining the necessary budget allocation to support sound cyber security programs. Many healthcare organizations have highly integrated systems, so all you need is one back door to be left open, say a compromised account, and hackers can navigate to their targets unseen for lengthy periods of time.

Continue Reading

Alexander, Murray Urge Anthem to Notify All 78.8 Million Americans Affected in Cyber Attack

Senate health committee Chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) are urging insurer Anthem to notify all 78.8 million Americans whose sensitive personal information may have been exposed in a cyber attack discovered in January.

Lamar Alexander
Lamar Alexander

In a letter to Anthem, the committee leaders note that more than a month and a half after a cyber attack identified on Jan. 29, 2015, “more than 50 million Americans … have yet to receive notice directly from Anthem” that their personal information, including addresses, birth dates, employer information, Social Security numbers and email addresses, may have been compromised, exposing them to resulting security threats like identity theft.”

The senators write, “…[T]he highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far.  We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification. This slow pace is of particular concern given that many of the individuals whose information has been compromised are not Anthem customers and may still be unaware that their information was contained in the attacked database.”

They continue, “We formally request that you provide a clear action plan that accelerates the current pace of notification and ensures that all affected families receive notification in the upcoming days.  …This is a critical and pressing issue, and while we understand there are many complications given the size and scope of the attack, we look forward to your response by April 1, 2015 on your progress and a clear target for when you will have reached out to every affected individual.”

Continue Reading