Healthcare and Technology news
39.0K views | +19 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst

Up to 1.1 Million Customers Could be Affected in Data Breach at Insurer CareFirst | Healthcare and Technology news | Scoop.it

CareFirst, a Blue Cross Blue Shield plan, on Wednesday became the third major health insurer in the United States to disclose this year that hackers had breached its computer systems and potentially compromised some customer information.

The attack could affect as many as 1.1 million of its customers, but CareFirst said that although the hackers gained access to customer names, email addresses and birthdates, they did not obtain sensitive financial or medical information like Social Security numbers, credit card information and medical claims. The company, which has headquarters in Maryland and serves the Washington area, said the attack occurred in June and described it as “sophisticated.”

Chet Burrell, CareFirst’s chief executive, said the company contacted the Federal Bureau of Investigation, which is investigating attacks against the insurers Anthem and Premera. “They are looking into it,” he said.



While it was not clear whether the attacks were related, he said the company was under constant assault by criminals seeking access to its systems.

Federal officials have yet to label the breaches at Anthem and Premera Blue Cross as state-sponsored hackings, but the F.B.I. is effectively treating them as such, and China is believed to be the main culprit, according to several people who were briefed on the investigations but spoke on the condition of anonymity. There are indications the attacks on Anthem, Premera and now CareFirst may have some common links.

Charles Carmakal, a managing director at Mandiant, a security firm retained by all three insurers, said in an emailed statement that the hacking at CareFirst “was orchestrated by a sophisticated threat actor that we have seen specifically target the health care industry over the past year.”

The Breaches at Anthem, which is one of the nation’s largest health insurers and operates Blue Cross Blue Shield plans, and Premera Blue Cross, based in Washington State, were much larger. The one at Anthem may have compromised the personal information of 79 million customers and the one at Premera up to 11 million customers.

Anthem has said the hackers may have stolen Social Security numbers but did not get access to any medical information. Premera said it was possible that some medical and bank account information may have been pilfered.

CareFirst said it was aware of one attack last year that it did not believe was successful. But after the attacks on other insurers, Mr. Burrell said he created a task force to scrutinize the company’s vulnerabilities and asked Mandiant, a division of FireEye, to perform a forensic review of its systems. Last month, Mandiant determined a breach had occurred in June 2014.

Health insurance firms are seen as prime targets for hackers because they maintain a wealth of personal information on consumers, including medical claims records and information about credit card and bank accounts.

In recent years, the attacks have escalated, said Dr. Larry Ponemon, the chairman of Ponemon Institute, which studies security breaches in health care. He said the health care industry was particularly vulnerable and that the information it had was attractive to criminals who use the data to steal the identity of consumers.

“A lot of health care organizations have been historically laggards for security,” he said.

Insurers say they are now on guard against these attacks. But Dr. Ponemon said they had taken only small steps, not “huge leaps,” in safeguarding their systems.

The motivation of the hackers in these cases, however, is unclear — whether they are traditional criminals or groups bent on intelligence-gathering for a foreign government.

In the retail and banking industries, the hackers have been determined to get access to customer credit card information or financial data to sell on the black market to other online criminals, who then can use it to make charges or create false identities.

So far, there is scant evidence that any of the customer information that might have been taken from Anthem and Premera has made its way onto the black market. The longer that remains the case, the less likely that profit was a motive for taking the information, consultants said. That suggests that the hackers targeting the health care industry may be more interested in gathering information.

“It’s such an attractive target and it’s a soft target and one not traditionally well protected,” said Austin Berglas, head of online investigations in the United States and incident response for K2 Intelligence and a former top agent with the F.B.I. in New York. “A nation state might be looking at pulling out medical information or simply looking to get a foothold, which they can use as a testing ground for tools to infiltrate other sectors,” he said.

Paul Luehr, a managing director at Stroz Friedberg, a security consulting firm, said the health care breaches could be an entry point into other systems. “It could serve as a conduit to valuable information in other sectors because everyone is connected to health information,” he said.

Or the breaches could simply be crimes of opportunity. The hackers could be making off with information and waiting to determine what to do with it.

“We want to jump to the conclusion that there is an organized chain and command,” said Laura Galante, threat intelligence manager for FireEye, who was not commenting specifically on any particular breach. “But what could be happening here is much more chaotic. It’s simply, ‘Get whatever data you can get and figure out what to do with it later.’ ”


more...
No comment yet.
Scoop.it!

Could a Greater Investment in Cyber Insurance Have Saved Anthem?

According to the Identity Theft Resource Center, last year saw 287 breaches and more than 7.7 million records compromised in the medical and healthcare industry alone. Healthcare breaches have made up more than 10 percent of the year’s attacks, proving what those in the industry already know—personal health information is valuable and sought after by hackers.

To this end, the recent breach of the Indianapolis-based health insurer Anthem was a massive one, exposing the personal data of approximately 80 million of its plan members. Shortly after the breach, it was estimated that the hack of Anthem could end up costing more than a billion dollars in total. "It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars,” said Daniel W. Berger, president and CEO of Redspin, a Carpinteria, Calif.-based health IT security consultant.

What’s more, according to a Business Insurance report, Anthem has $150 million to $200 million in cyber insurance, including excess layers of cyber coverage, sources told the publication. Anthem's primary cyber insurer is Lexington Insurance Co., a unit of American International Group (AIG), Business Insurance revealed, explaining that Anthem has $10 million in primary cyber coverage above a $10 million self-retention with Lexington. However, when a company has up to 80 million current customers, former customers, employees and investors to notify—in addition to lawsuits— this amount may not be enough, says Natalie Lehr, co-founder of cybersecurity firm TSC Advantage, based in Washington, D.C.

Indeed, various news media outlets have suggested that Anthem’s insurance policy could be exhausted. Lehr says that generally speaking, when companies put together their investment for security, they look for a standard where they meet their compliance obligation. The challenge with cases such as Anthem, Lehr says, is that even when the organization’s investments in security are to meet those standards, it’s still insufficient because it may not protect you against the ongoing liability, in this case on the class-action lawsuit side. “This is one of the big reasons why I see this as a watershed moment for the industry in terms of the scale of data taken,” Lehr says. “The intangible financial loss that a company could face can exceed the insurable loss calculation that has historically taken place with the transference of risk to the insurers.”

As such, Lehr notes that if organizations exceed the standard, it reduces the likelihood of compromise, and also the probability of compromise in the future. “It is a testament to any organization that invests in maturity beyond the standard,” she says. “Part of what we have done with our insurance partners is set up a way to measure the security level so clients who do exceed the standard can get a discount on their premium. Historically, that’s not part of the dialogue or pre-binding process thought,” she adds.

Lehr further says that with Anthem specifically, a sophisticated data loss prevention solution could have been put in place, so if the bulk of material from the file transfer protocol (FTP) network, the organization could look through that traffic and look for categories of data that include social security numbers, for instance. “We don’t know for sure if they had that in place, but it seems that with the bulk of the losses that occurred with Anthem, there was a determination made that it was internal data, which wasn’t necessarily required to be encrypted from a compliance standard,” she says. “But there’s a whole host of additional controls that could be applied, and it’s about the nature in which organizations address that.”

At the end of the day, Lehr says while that no one ever envisioned anything being stolen on the scale of what happened at Anthem, it is critical to make sure that you’re leading in terms of security posture, and that you’ve focused your investment around the core parts of your business. “If we look at the past as a marker of the type of cyber breach we’ll see in the future, we’re sort of kidding ourselves,” she says. “We talk to our clients about making sure their strategy isn’t to respond to an incident. That’s not enough. Investment in prevention is testament to investment in future.”


more...
Brian S. Smith, CIC, ARM's curator insight, March 26, 2015 8:16 PM

Interesting article about the data breach event suffered by Anthem.  The insurance costs are staggering as is the exposure.

Scoop.it!

Medical identity theft sees sharp uptick

Medical identity theft sees sharp uptick | Healthcare and Technology news | Scoop.it

The number of patients affected by medical identity theft increased nearly 22 percent over the past year, according to a new report from the Medical Identity Fraud Alliance – an increase of nearly half a million victims since 2013.


In five years since the survey began, the number of medical identity theft incidents has nearly doubled to more than two million victims, according to MIFA, a public/private partnership committed to strengthening healthcare by reducing medical identity fraud,

"Over the past five years, we've seen medical identity theft steadily rising with no signs of slowing," said Larry Ponemon, chairman and founder of the Ponemon Institute, which conducted the study. "Our research shows more than two million Americans were victims of medical identity theft in 2014, nearly a quarter more than the number of people impacted last year."

In San Diego March 5-6, the two-day Privacy & Security Forum, presented by Healthcare IT News and HIMSS Media, featuring 26 sessions and 40 speakers from healthcare organizations such as Kaiser Permanente and Intermountain Healthcare, will put the focus on cyber crime and data security, discussing best practices to help keep these numbers in check.


Other findings from the report:

  • Sixty-five percent of medical identity theft victims surveyed paid more than $13,000 to resolve the crime. In 2014, medical identity theft cost consumers more than $20 billion in out-of-pocket costs. The number of victims experiencing out-of-pocket cost rose significantly from 36 percent in 2013 to 65 percent in 2014.
  • Victims are seldom informed by their healthcare provider or insurer. On average, victims learn about the theft of their credentials more than three months following the crime and 30 percent do not know when they became a victim. Of those respondents (54 percent) who found an error in their Explanation of Benefits, about half did not know to whom to report the claim.
  • In many cases, victims struggle to reach resolution following a medical identity theft incident. Only 10 percent of survey respondents reported achieving completely satisfactory conclusion of the incident. Consequently, many respondents are at risk for further theft or errors in healthcare records that could jeopardize medical treatments and diagnosis.
  • Nearly half of respondents (45 percent) say medical identity theft affected their reputation in some way. Of those, nearly 90 percent suffered embarrassment stemming from disclosure of sensitive personal health conditions and more than 20 percent of respondents believe the theft caused them to miss out on career opportunities or lose employment.
  • A large majority of respondents (79 percent) expect their healthcare providers to ensure the privacy of their health records. Forty-eight percent say they would consider changing healthcare providers if their medical records were lost or stolen. If a breach does occur, 40 percent expect prompt notification to come from the responsible organization.

"2015 will be a year of increased attention to the pervasiveness and damaging effects of medical identity theft," said Ann Patterson, senior vice president and program director at MIFA, in a press statement. "As we've already seen this year, the healthcare industry is and will continue to be a major target for hackers. Stolen personal information can be used for identity theft, including medical identity theft and the impact to victims can be life-threatening."


more...
No comment yet.
Scoop.it!

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach

Nearly Seven in 10 Patients Would Avoid Healthcare Providers That Undergo a Data Breach | Healthcare and Technology news | Scoop.it
A new survey from TransUnion Healthcare found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider undergoes a data breach. Nearly seven in 10 respondents (65%) would avoid healthcare providers that experience a data breach.

Older and younger consumer groups responded differently to data breaches. While 73% of recent patients ages 18 to 34 said they were likely to switch healthcare providers, older consumers were less willing. Nearly two-thirds (64%) of patients older than 55 were not likely to consider switching healthcare providers following a data breach.

“Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new healthcare provider following a data breach,” said Gerry McCarthy, president of TransUnion Healthcare. “However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach. With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

Other survey insights on consumers’ expectations following a data breach include:

· Nearly half of consumers (46%) expect a response or notification within one day of the breach.

· 31% of consumers expect to receive a response or notification within one to three days.

· Seven in 10 (72%) consumers expect providers to offer at least one year of free credit monitoring after a breach.

· Nearly six in 10 (59%) consumers expect a dedicated phone hotline for questions.

· More than half of consumers (55%) expect a dedicated website with additional details.

“The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” said McCarthy. “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”
more...
No comment yet.
Scoop.it!

Anthem's Audit Refusal: Mixed Reaction

Anthem's Audit Refusal: Mixed Reaction | Healthcare and Technology news | Scoop.it

Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government auditor's request to perform vulnerability scans of the health insurer's IT systems in the wake of a hacker attack that affected 78.8 million individuals.

The Office of Personnel Management's Office of Inspector General, in a statement provided to Information Security Media Group, says Anthem - citing "corporate policy" - refused to allow the agency to perform "standard vulnerability scans and configuration compliance tests" this summer, as requested by the OIG. The health insurer also refused to allow the OIG to conduct those vulnerability tests in 2013 as part of an IT security audit that was performed by the agency.


"Anthem is in a no-win situation on this [most recent] request," says Dan Berger, CEO of security services firm Redspin. "It does appear Anthem has the contractual right to decline the request for an OIG vulnerability scan. But they might want to rethink that. Refusing now looks bad - both to their client OPM and to the public at large."

Security expert Mac McMillan, CEO of the consulting firm CynergisTek, notes: "Usually most companies want to cooperate with the government regulators because, quite frankly, it's in their best interest to do so. Most government contracts provide a provision for the government to conduct an audit if they deem it necessary."

But some other security experts are not surprised that Anthem refused the vulnerability tests.

"In fairness to Anthem, their position may be perfectly well-founded," says Bob Chaput, founder and CEO of Clearwater Compliance. "It's unclear what is precisely meant by vulnerability scans. Ask five people for a definition and receive eight different definitions. External and/or internal technical testing - expanding for the moment to include penetration testing as a way to identify a weakness - can be quite intrusive and disruptive to an organization's operations."

OIG Requests

OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, an OIG spokeswoman tells Information Security Media Group. However, under the standard FEHBP contract that OPM has with insurers, insurers are not mandated to cooperate with IT security audits. Sometimes amendments are made to insurers' federal contracts to specifically require the full audits, the spokeswoman says. In fact, the OIG is now seeking such an amendment to Anthem's FEHBP contract.

OIG also notes in a statement: "We have conducted vulnerability scans and configuration compliance tests at numerous health insurance carriers without incident. We do not know why Anthem refuses to cooperate with the OIG."

A Common Practice?

David Kennedy, founder of security consulting firm TrustedSec, says it's "very common" for corporations to prohibit or limit external parties from performing vulnerability scans. "Most corporations have sanctioned tests that occur from third parties that perform the same type of testing and go even more in depth," he says. "A vulnerability scan is the most basic form of an assessment and wouldn't have prevented the Anthem breach from occurring. Most corporations will provide a summary of the assessment that was performed to provide to third parties to satisfy them for appropriate due diligence."

Although Anthem's recent refusal of the OIG audit requests might now appear to be a public relations blunder for the company, "I can see Anthem's side too, though," says Redspin's Berger. "A vulnerability scan is always going to find vulnerabilities. They may be concerned that any post-breach vulnerability report will be linked back to the recent breach. In reality, such scans are a 'point in time' assessment; it's unlikely that running a scan in the summer of 2015 would determine conclusively whether the recent breach could have been prevented."

In addition, if a security audit is not mandated by a contract, Chaput says it's probably not that unusual for private entities to refuse such requests from government agencies. "It depends on the nature of the relationship of the parties, the structure of that relationship, sensitivity of information involved, etc.," he says. "For example, is OPM a HIPAA covered entity and Anthem a HIPAA business associate in this relationship?"

Time for Change?

Also, the audit hoopla might even signal a need for OPM to overhaul its contractual practices, Chaput argues.

"In fact, it's quite possible that OPM is in violation of the HIPAA Privacy and Security Rule 'organizational requirements,'" he says. "Did OPM update all BA agreements? Do the terms and conditions of whatever agreements exist meet the requirements set forth in these HIPAA Privacy and Security Rule 'organizational requirements' to receive satisfactory assurances that this PHI and other sensitive information would be safeguarded?"

The government should negotiate stronger security protections into their contracts with insurers, Berger suggests. And that could include third-party vulnerability scans, whether conducted by OIG or others.

But McMillan of CynergisTek says Anthem's refusal of OIG's request could potentially provoke even more scrutiny by other government regulators or perhaps even legislative proposals from Congress.

Anthem likely already faces an investigation by the HIPAA enforcement agency, the Department of Health and Human Service's Office for Civil Rights, which investigates health data breaches and has the power to issue settlements that include financial penalties.

"Whether it is appropriate or allowed under [Anthem's] current contract or not - refusing a test right after a breach of this magnitude is enough to make some people say there needs to be greater accountability," McMillan says.

Safeguarding Data

Ironically, Chaput says that by denying the vulnerability tests by OIG, Anthem could be actually taking extra precautions in protecting PHI. "With over-the-top issues of government surveillance of U.S. citizens, Anthem might be thought of as having implemented a reasonable and appropriate administrative control - i.e. their 'corporate policy' to safeguard information with which it has been entrusted," Chaput says. "In the HIPAA Privacy Rule, there are standards and implementation specifications in which PHI, for example, is required to be disclosed to the Secretary of HHS. Since this technical testing could result in a disclosure of PHI, PII or other sensitive information, under what standard is OPM OIG invoking a right of potential disclosure?"

Kennedy adds that when he worked for ATM security vendor Diebold, "we never let anyone scan us. However we would always have reputable third parties perform assessments on us on a regular basis and provide those upon request when an organization wanted to evaluate our security."

more...
No comment yet.