If this breach follows the pattern of other health IT breaches as of late, then this type of intrusion at CareFirst wouldn’t be considered particularly difficult for an advanced team of malicious actors. The main objective would be to steal a set or multiple sets of user credentials. A juicy target would be an administrator or super user with high levels of access. This could be done using malware from a spear phishing attack or a watering hole attack. From there, the bad actors would actually be using legitimate user credentials to steal the data for which they are looking. Using legitimate credentials makes detection harder, which is why the attack can last so long before it is discovered. Red flags like incorrect username and password combination entries in the log just aren’t there with this scenario. In order to detect these types of attacks, organizations need to understand normal user behavior and abnormal behavior, then investigate accordingly. For example, if users are awake at 4 a.m. and accessing privileged data outside of their job descriptions, then the credentials have likely been exploited. It takes some fairly advanced technology maturity to understand those patterns, then use them to help detect misuse. Many organizations just aren’t at that point.
Electronic health records are particularly valuable to hackers because they have a long-term, black market value. In the case of credit card breaches, cards are replaced very quickly, meaning that their value is very short-lived. A few fraudulent purchases are all a consumer of that stolen information can expect. Health records are very difficult to cancel or edit, and fraud against insurance or health records can go undetected for years for healthy individuals. This gives them a longer-term value.
Healthcare organizations need to be more proactive about benchmarking user behaviors within their environment. This includes understanding who has access to what and limiting to the least amount of information to perform job duties. This would minimize exposure to data in credential breaches. Also implementing 2-factor authentication to access sensitive information or patient services would blunt this mode of attack. Malicious actors couldn’t just use a username and password to get anywhere. Lastly, encryption of all key data at all times helps to prevent exposures like this.
Organizations of all sizes are struggling to adapt to this new reality of security threats, not just health organizations. Based on the value of these record and the relative success of bad actors in this space, health organizations really need to take heed of what is happening and get prepared to respond.
-Philip Casesa, CISSP, CSSLP, Director of IT/Service Operations, (ISC)²