On Wednesday, CareFirst BlueCross BlueShield announced cyberattacks gained access to the payer's database and compromised the personal data of 1.1 million individuals.
The hackers may have acquired member usernames used to access CareFirst's website, names, birth dates, email addresses and member identification numbers.
Here, security and IT experts offer their initial reactions to the data breach.
Note: This is a developing story and will be continually updated as more thought leaders share their insight.
Joe Barrett, principal security consultant at Foreground Security: "This isn't an unusual compromise. It fits with the methodology we've seen various attackers use over the last several years. Organizations with limited budget or security awareness that might have access to personal identifying information are frequently targeted due to their limited ability to detect and respond to compromises. The likely motive of the attackers is to sell the information for financial gain before the accounts are flagged in financial databases that watch for fraudulent usage.
The primary lesson to learn from this is that network owners don't get to choose whether or not they're attacked or persuade attackers they have nothing of value; it's going to happen eventually and organizations need to ensure that their intrusion detection and incident response capabilities are in place to detect and respond to breaches like this.
There is no one particular item that CareFirst could have done to prevent a breach like this — protecting an enterprise network's information requires senior management commitment, development of an effective information security program (i.e., not just buying products) and introducing security awareness as a key component to corporate culture."
Steve Hultquist, chief evangelist at RedSeal: "The CareFirst breach report attempts to soften the reality by calling the attack 'sophisticated.' The truth is that there are ongoing, automated sophisticated attacks targeting virtually every organization constantly and with ever-increasing intensity. The cyberwar has escalated through the use of automated and ever-innovating attack software funded by both nationas and criminal organizations. This means defenses must be even more sophisticated, and the focus must change from merely detecting active attacks to determing all possible attack vectors, using analytics to ensure the implementation matches design, and then confining any incident to the smallest possible damage radius. It's time to upgrade our thinking and approach to be better than the attackers'."
Rich Barger, CIO and cofounder of ThreatConnect: "The announcement of the CareFirst hack is the latest in a string of data breaches affecting the BlueCross BlueShield network. The brazen targeting of healthcare organizations — entities that posses troves of sensitive personal information — is becoming alarmingly more common...There is no reason for these organizations to not be collaboratively analyzing information to protect themselves. Indications are that CareFirst suffered the same attack methods as Premera and Anthem, so imagine if those groups had been proactively working together and finding those similarities before the breach."
Trent Telford, CEO of Covata: "The healthcare industry, along with other industries that store customers' valuable private data, needs to understand that the threat of data breaches is real. We have seen far too many substantial hacks occur within major health organizations in recent months.
If a company holds personal information on behalf of its customers, partners and employees, it is its responsibility to encrypt it and remove the inherent value of this data for thieves and malicious actors. It is encouraging in the case of CareFirst BlueCross BlueShield that some of its valuable customer data is safe because it is encrypted. The more companies encrypt their customer data, the less they are going to be targets for attacks.
What this reveals is that encryption in the healthcare industry is no longer a nicety to have. In fact, it is a MUST for all businesses that hold sensitive or valuable information within their networks."
Jay Schulman, managing principal at Cigital: "The frequency of breaches in the healthcare sector emphasizes the priority cybercriminals are putting on the industry. Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren't obvious to the organization. It's not only about building effective software that adhere to compliance standards, but healthcare organizations also need to build security in so that applications and software can tell you when something is going wrong."
Ken Westin, senior security analyst at Tripwire: "Unfortunately, our predictions regarding the healthcare industry becoming a major target are being played out. Both insurance and provider organizations are becoming targets by criminal groups because the data stored on these systems has become more significantly valuable over time as criminal syndicates have found ways to monetize it. In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It's no surprise that several organizations have been targeted and compromised."
Gavin Reid, vice president of threat intelligence at Lancope: "Large scale attacks to hospital patient record databases, along with areas that are doing medical research, can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records and histories spanning years that could never be recreated and have a huge research value. Secondly, the patient records themselves often have very complete personal identifying information sets that are easily used in the more common data theft scenarios. The last and increasingly common reason is where medical identity theft is used to create fraudulent insurance claims using a stolen identity. The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection."
More articles on data breaches:
Payer disputes hospital data breach settlement, saying hospital failed to meet privacy requirements outlined in cyber policy
Data breaches could cost $2.1T globally by 2019
Media coverage of data breaches drives 69% of companies to take another look at security: 5 things to know