Tuesday, 26 May 2015

3 Critical Takeaways From The Damaging CareFirst Hack That Exposed Millions

On Wednesday, District-based not-for-profit insurer CareFirst BlueCross BlueShield announced it had been hacked in June 2014. The data breach meant that the personal information of about 1.1 million customers — including birth dates, names, email addresses and subscriber information — was compromised. CareFirst becomes the third major health insurer to disclose a breach, and that is by no means a coincidence.

Almost a week removed from the hack and with the news cycle no longer focused on either the breach itself or CareFirst’s response to it, it’s important to examine whether there is a lasting impact.

Healthcare institutions, which are naturally prevued to a host of delicate and valuable personal information, are increasingly becoming the targets of hackers. One reason for this is that the Healthcare sector has generally lagged behind when it comes to sufficient cybersecurity measures.

While there is no “standard” for cybersecurity — instituted by either the Fed or at a state level —it’s true that the current security atmosphere influences each sector differently. As a result, a proactive rather than reactive security strategy is widely viewed as the better of two options.

Private executive-level corporate decision makers are behind these decisions, currently, as they must weigh the risk vs. reward of investing in cybersecurity due to the changing threat landscape.

News of the hack came only a few days after cybersecurity giant FireEye provided CareFirst with a finished review of the attack, WSJ reported. For now, it appears that medical and patient information was not exposed in the breach.

DC Inno contacted three executives from three different cybersecurity companies to speak about the hack and the lesson it may have left behind.

Here’s what some cybersecurity experts said of the hack:

The hackers can now use the stolen information to masquerade as CareFirst

“The amount of data that was stolen, including names, birthdates and email addresses, opens the door for phishing scams … This data may not be highly sensitive, but it is perfect for someone trying to now instigate a spear phishing (directed e-mail at a person with real data to convince them that it is legitimate) scheme. A hacker now has enough information to represent themselves as CareFirstBCBS,” Netsurion CEO Kevin Watson told DC Inno via email.

CareFirst has said they will notify their customers via postal mail only. Anyone receiving an email or phone call should consider it a phishing scam.

Greg Kazmierczak, CTO of Wave Systems, told DC Inno,“While CareFirst stated that social security numbers and credit cards were not held in the database, access to names, birth dates, and email addresses can lay the groundwork for future intelligence gathering and cyber intrusions. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked.

Proactive measures are actually paying off

“While the breach reportedly started back in June 2014, CareFirst discovered the breach with an end-to-end IT review … The proactive approach to reviewing their IT environment enabled them to discover this seemingly less severe data breach and very well could have prevented attackers from gaining access to more sensitive systems in the future,” said SurfWatch Labs Chief Security Strategist Adam Meyer.

Meyer added,“Companies should note this approach and consider a similar security review to ensure their network is secure and to mitigate risks to not just consumers but also to demonstrate due diligence and due care to regulators and potential legal matters – in particular, healthcare organizations who likely will continue to see increased interest from hackers given the nature of the type of data they accumulate.”

The healthcare sector is one step behind

“This breach provides further evidence that cyber security defenses in the healthcare industry are still one step behind sophisticated hackers. The first question to ask is: was the compromised database properly encrypted? Encryption is widely recognized as a best practice and it is vitally important for a company like CareFirst, which is handling sensitive patient information. Healthcare companies are prime targets for hackers,” Kazmierczak said

View the original content and more from this author here: http://ift.tt/1Bnq2xx



from cyber security caucus http://ift.tt/1AwdMQe
via IFTTT

No comments:

Post a Comment