Mar 19
2015
Premera Cyberattack: Why It Happened and How to Protect Your Organization
In light of the Premera Blue Cross cyberattack and data breach — which, so far, is the second-biggest of its kind in industry history that exposed personal, financial and medical information of more than 11 million customers — Bob Swanson, compliance engineer at LogRhythm provides some wonderful detail and perspective regarding the news.
In the following conversation, Swanson discusses what we know about the beach so far, how organizations can strengthen their security efforts, motivations of hackers, as well as provides a vast level of insight to help navigate the situation and guidance for others hoping to avoid breach,
What do you know about the hack and what don’t you know? How similar/dissimilar is it to other major hacks?
Although Premera has said the breach was detected back on Jan. 29,2014, the first signs of the attack date back to May 5, 2014. So with the breach going undetected for over six months, the culprit(s) had ample time to navigate through Premera’s network and find exactly what they were looking for – sensitive data with value in the black market, regardless of whether there is evidence indicating it has surfaced. Given time, a proficient hacker will set false trails and distort clues of their activities to confuse investigators or IT security professionals. However, they are currently under federal investigation working with the FBI and cyber security firm, Mandiant, to better understand the nature and scope of the attack. Many additional details will come to light as the investigation continues, but it is clear that early indicators were not picked up on. Similar to other major breaches in the healthcare and other industries, as the mean-time-to-detection (MTTD) increases, this gives proficient hackers time to navigate the network, find what they are after and make it more difficult to discover the true details around the attack.
Is it related to the Anthem hack? Several Blues plans that aren’t part of Anthem still were business partners and were affected by the hack. As Premera was investigating the effect of the Anthem hack, did they discover their own hack?
With many of the facts surrounding the breach still unclear or undefined, initially it does not appear to be linked to the Anthem breach; however, consider their targets or objectives for similarities. In healthcare, patient information containing elements of social security numbers or other protected health information (PHI) has a significant worth in various markets, both known and unknown. With this comes a demand and hackers are seeking out organizations to exploit and provide the supply. Also, as seen in both Anthem and Premera, the intrusion went on for some time without detection or actions taken to remediate compromised systems. The similarities between the attacks can be seen at a higher-level where the industry as a whole finds challenges in gaining the necessary budget allocation to support sound cyber security programs. Many healthcare organizations have highly integrated systems, so all you need is one back door to be left open, say a compromised account, and hackers can navigate to their targets unseen for lengthy periods of time.