Premera Cyberattack: Why It Happened and How to Protect Your Organization

Bob Swanson
Bob Swanson

In light of the Premera Blue Cross cyberattack and data breach — which, so far, is the second-biggest of its kind in industry history that exposed personal, financial and medical information of more than 11 million customers — Bob Swanson, compliance engineer at LogRhythm provides some wonderful detail and perspective regarding the news.

In the following conversation, Swanson discusses what we know about the beach so far, how organizations can strengthen their security efforts, motivations of hackers, as well as provides a vast level of insight to help navigate the situation and guidance for others hoping to avoid breach,

What do you know about the hack and what don’t you know? How similar/dissimilar is it to other major hacks?

Although Premera has said the breach was detected back on Jan. 29,2014, the first signs of the attack date back to May 5, 2014. So with the breach going undetected for over six months, the culprit(s) had ample time to navigate through Premera’s network and find exactly what they were looking for – sensitive data with value in the black market, regardless of whether there is evidence indicating it has surfaced. Given time, a proficient hacker will set false trails and distort clues of their activities to confuse investigators or IT security professionals. However, they are currently under federal investigation working with the FBI and cyber security firm, Mandiant, to better understand the nature and scope of the attack. Many additional details will come to light as the investigation continues, but it is clear that early indicators were not picked up on. Similar to other major breaches in the healthcare and other industries, as the mean-time-to-detection (MTTD) increases, this gives proficient hackers time to navigate the network, find what they are after and make it more difficult to discover the true details around the attack.

Is it related to the Anthem hack? Several Blues plans that aren’t part of Anthem still were business partners and were affected by the hack. As Premera was investigating the effect of the Anthem hack, did they discover their own hack?

With many of the facts surrounding the breach still unclear or undefined, initially it does not appear to be linked to the Anthem breach; however, consider their targets or objectives for similarities.  In healthcare, patient information containing elements of social security numbers or other protected health information (PHI) has a significant worth in various markets, both known and unknown. With this comes a demand and hackers are seeking out organizations to exploit and provide the supply. Also, as seen in both Anthem and Premera, the intrusion went on for some time without detection or actions taken to remediate compromised systems. The similarities between the attacks can be seen at a higher-level where the industry as a whole finds challenges in gaining the necessary budget allocation to support sound cyber security programs. Many healthcare organizations have highly integrated systems, so all you need is one back door to be left open, say a compromised account, and hackers can navigate to their targets unseen for lengthy periods of time.

What should industry stakeholders be doing today to strengthen defenses and better protect data that they haven’t been doing?

The industry needs to focus on reducing the mean-time-to-detection (MTTD) and mean-time-to-respond (MTTR). The growing complexity and sophistication of cyber-attacks coupled with the increasing amount of data at risk presents a significant challenge for Information Security teams to sift through the noise, prioritize the investigation, gather sufficient evidence, understand the scope of the breach, centrally track progress and ultimately take steps to remediate the compromised systems.  Being able to identify potential breaches early on in the attack’s life cycle is crucial to limiting the impact and to deter the attack from ever reaching the target.  The healthcare industry should look to build off existing HIPAA compliance regulations to improve their overall security.  Keep in mind that even though these organizations were compliant, the breaches still occurred. There are many innovative and forward thinking approaches beyond compliance requirements, such as using as honey pots or creating a false environment to learn from hacker activities, but the industry must first invest in resources to build up cyber security programs.

Why are hackers going after health insurers like Anthem and Premera now?

Hackers have a specific goal in mind and that is to steal sensitive information known as protected healthcare information (PHI). This information includes Social Security numbers and other data elements that carry significant value in the black market and can be used to facilitate other objectives. With an industry containing highly integrated systems, storing a plethora of PHI data and lacking in robust cyber security programs, this by itself presents an attractive target to proficient hackers. As seen with Anthem and now Premera, the breaches occurred and went undetected for some time, which plays in favor of the hacker to navigate, locate their objective and potentially cover up or create divergence from their trail. The main difference initially is that Premera’s data was encrypted.

What is the motivation for the attacks? What’s driving these attacks?

It’s hard to say what the true motivation of the attack was at this time. It may have been to exploit or expose a large, industry vulnerability, but it’s more likely that the motivation was to simply sell the data for profit. The fact there are markets out there (demand) and targets that are attractive (healthcare industry), its surprising more breaches have not come to light.  Hackers may also sit on the data for some time, even years, letting the initial uproar from the breach quiet down before taking action.

So far it’s been reported that Anthem data hasn’t been found in the black market for ID thieves. So what could be the other possible motives for hackers to collect health insurance data, if it’s not for ID theft or fraud?

Just because the compromised data has not shown up on the black market at this time does not necessarily mean that it eventually will. Hackers could already have a buyer and thus no need to post it publicly. Or maybe there are other markets outside of the black market where profits can be gained. Hackers may also wait for the initial uproar of the attack to quiet down, sometimes even years, before doing anything with the compromised data. The true motives may not come to light during the initial weeks or months after the attack has been detected. Hopefully the investigations shed more light.

How hard was it for hackers to break into the Anthem and Premera systems? How much expertise was needed to break into these systems?

We are talking proficient hackers and an industry as a whole that is lacking in robust cyber security programs, so all it takes is one compromised account or back door to be opened that leans the advantage in favor of the attack. It’s likely this was a proficient hacker that will not make it easy to decipher the details of the attack.

Why did it take several months for the attacks to be discovered?

Limited resources can play a part in missing early indicators, but the power of correlation comes into significant play here. Being able to correlate activities across various environments and alarming on activities “out of the norm” can bring potential security events up for further analysis. But organizations must have resources allocated to sift through these indicators, escalate security events, communicate to appropriate response parties and take early action to remediate any exposures or compromises.

How can other insurers and healthcare sector companies improve detection and prevention of these hacker attacks?

The key here is to reduce the mean-time-to-detection (MTTD) and mean-time-to-respond (MTTR). In doing so attacks can be thwarted early on in the attack life cycle and steps to remediate the exposure can be implemented sooner.  To do this, the industry must recognize the need to invest in cyber security programs and have resources dedicated to continuous monitoring and ongoing improvement of their security posture.

Should insurers consider collecting & storing massive amounts of data in several databases rather than one large database? Would that help?

Some experts recommend taking a silo approach or apply network segmentation for servers containing sensitive healthcare information. This would segregate high risk servers from other, more vulnerable components of the organization’s network.  Healthcare organizations should also look to their compliance programs as a platform to build off of, leveraging risk assessments or data classification exercises to identify at risk components of their network.  Focusing on high-risk elements containing PHI, organizations can actually allocate budget to mitigate those high-risks and as the security program matures, work to address mid to low-level risks. It’s an ongoing, maturing process for the industry, but you have to start somewhere; might as well start with your HIPAA compliance program.

How can insurers and other healthcare sectors “retrofit” their systems to better defend against these massive cyberattacks?

First the healthcare sector needs to be educated on their environment. Know what is out there including sensitive data and risk exposures. Many compliance mandates these days incorporate a risk-assessment or some form of data classification activity that could shed light on where the organizations at risk components are. Second, organizations must consolidate the storage of PHI data and take on network segmentation, applying sound security controls to at risk components. Legacy systems are exceptionally vulnerable. Lastly, organizations must build off existing compliance programs to mature their cyber security posture. This entails investing and allocating resources to the program and educating the user base on the threat landscape. However, all of this is a recommendation and any approach should be vetted with the organization’s auditing group.


Write a Comment

Your email address will not be published. Required fields are marked *