• No results found

Anthem Hack, Cracked

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Anthem Hack, Cracked"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Anthem Hack, “Cracked”

Failed SIEM Deployment Jolts Industry

T

oday, with so much finger-pointing and talk about

Anthem Blue Cross

, security

failures, who’s doing what and who’s getting hacked, one of the most important

security matters seem clearly to escape the executives with the most

skin-in-the-game. The question of course is “

Quis custodiet ipsos custodes? or, translated from Latin:

Who’s guarding the guards.” This paper presents the case for an effective,

properly deployed and administered

Security Information Event Management

(SIEM)

system with supporting processes that mandates event notification

escalation.

So, "Who’s guarding the guards?” My close friend Eric N. (CISSP/Security Expert of a non-disclosed enterprise healthcare company) has always asked and said this is the challenge that needs to be addressed and then, readdressed regularly. Concerning Anthem, it is very odd that a DBA would be making application inquiries on sensitive ePHI, but it’s even odder that a basic SIEM system would have failed to catch this anomaly in the 1st place. “Rather, the SIEM administration is what seemed to fail because if it was properly deployed and they administered the system correctly, the event notification escalation would have protected Anthem for what is now known as the largest HIPAA related date breach in history.

Synopsis: The correct SIEM deployment would have guaranteed that more than one set of eyes would have been notified the moment the suspicious activity began. Thus, the proper administration of a SIEM system as found with “US ProSIEM” would have / could have prevented the Anthem Blue Cross security breach” said Jonathan Goetsch, CEO of Las Vegas, Nevada based US ProTech, Inc. "But it also clearly shows that there are folks trying to profit from exploiting and breaching the data."

US ProTech found that Internet-connected devices – from data bases and billing systems to dialysis machines and the Claims Department -- are getting hammered by malicious attacks. The Report, which measured malicious traffic at healthcare organizations during a one-month period last fall, found almost 50,000 unique attacks across more than 700 devices, with some 375 organizations compromised. The compromised devices ranged from radiology imaging software and Web cameras to firewalls and mail servers, just to name a few.

(2)

Virtual private networks were among the most compromised system, accounting for more than 30% of all compromised connected endpoints.

Hacked documents detailed one hospital's login, passwords

Illustrating the extent of the problem, engineers have cited a network administrator-authored document posted on hacker website 4shared.com that contained password, user ID, firewall login and other systems configuration information from the person's employer, an East Coast hospital. "When a security administrator sits down and writes down his passwords in a document like this, that's bad work," Goetsch said. "You don't put it on a PDF on a public-facing machine." To make matters worse, the document revealed that the hospital used one password across multiple systems.

The American Hospital Association (AHA) said in a statement that it is actively involved in helping its member institutions bolster their cybersecurity. "As the national hospital association, the AHA's particular expertise in cybersecurity is raising awareness among our member hospitals of the importance of addressing cybersecurity issues, and we encourage member hospitals to adopt appropriate strategies for cyber-risk management and reduction," the group said.

As evidence, Chicago-based AHA cited its 2013 Most Wired report, which indicated that more than 90% of its members had met security objectives across 11 key considerations, such as automatic logoff and encryption of laptops and other workstations.

Attacks span breadth of healthcare industry in United States

Yet more needs to be done, Goetsch said. "We saw attacks emanating across video conferencing, security, VPNs, firewalls and radiological machines that were compromised and used by adversaries for attacks, and because they are compromised, this means the capacity for a breach is wide open. The breach of a healthcare record is the most valuable data on the gray or black market. Almost three times as much as a stolen credit card number, but unlike credit card fraud, this is something that," he said, "the consumer will be directly responsible for addressing and resolving".

"Large institutions, self-insured Funds and even smaller medical provider group are in a very bad place right now with respect to the state of their security," Goetsch said.

Patient health can also be at risk. It's possible for a hacked diagnostics machine to send erroneous data about a particular person's medical test, for example, or for an infected dialysis machine to operate incorrectly.

Overall, healthcare providers received 72% of malicious traffic, with other segments of the industry -- including health plans, pharmaceutical and healthcare business associates -- attracting most of the rest.

(3)

Often talked about but not commonly practiced, a lot of this could be avoided by just having a strong username or password policy that uses difficult-to-decipher logins and passwords. There is also an awareness factor. Let's say you buy a camera. It will be shipped straight from Taiwan, and then you plug it into your network. The hackers note this, and they connect to and use that camera, and then they put a back door in, and this is where compliance regulations come in. There are not rules governing cameras or where you plug in your camera. These are very simple policies to follow, but they need to be there and they need to be enforced."

US ProTech, which offers persistent threat protection and other security services to enterprises, conducted the probe using its global network of 6 million sensors and next-generation honey pots, which were located in 38 data centers and 20 major Internet exchanges. US ProTech will conduct similar studies examining other industry verticals in the coming months.

Protecting Electronic Protected Health Information

Health care organizations present a uniquely appealing target for bad actors due to

the value of the data typically stored by these organizations. This data includes

patient Social Security number, insurance and/or financial account data, birth date,

name, billing address, and phone. At the same time, to maintain connection with

patients, employees, insurers, and business partners, health care organizations must

provide access to an unusually large number of external networks and web

applications. This multi-tiered window of exposure makes health care

organizations increasingly vulnerable to online attack.

Such attacks can result in:

Costly data breaches, in terms of both financial and time loss

Penalties imposed by the government—because government regulations

such as HIPAA mandate strict security for access to electronic health care

data, the resultant penalties for a breach can be severe

Costs for investigation and administration of fraud claims

Loss of customer loyalty and brand reputation

One US ProTech Solution

Today's attackers use advanced methods and tactics that render conventional security solutions – typically signature- and policy-based – much less effective. Health care organizations need a solution that can keep up with the speed of today's advanced attacks and protect patients' electronic protected health information (ePHI).

US ProTech is the only threat intelligence solution that enables organizations to quickly and cost-effectively implement truly proactive security that works at the speed of attackers, raising the organization's overall security posture while lowering its risk profile.

(4)

Key benefits for health care organizations

• Assess the risk level of any attempted data record access in milliseconds • Protect against customer account takeover fraud via stolen credentials • Block fraudulent account creation

• Minimize the risk of security-related website downtime • Lower the possibility of government-imposed penalties

• Reduce the risk of security breaches and the associated losses of data, reputation, and revenue, while enhancing the customer experience

Key features include:

• Real-time delivery of fraud and security intelligence data • Configurable live IPQ score that enables true risk prioritization • Simple, customizable REST API

• Powerful analytics that provide rich and comprehensive reporting data • Geofilter scoring and transaction blocking by geographical attributes

(5)

So, what is an effective Security Information Event Management (SIEM) system

and what processes should be considered as minimum necessary? At US ProTech

the answer is comprehensive and addresses every aspect of the issues discussed in

the article. We encourage you to seek out a professional and objective advisor who

can guide you through the various levels of SIEM system deployment complexity.

When comparing solutions you have to consider much more than the total cost of

ownership, presence (reputation) within the industry, and levels of support or

service agreements. Let us know you’re interested and we’ll be glad to provide

you with a no-obligation consultation.

References

Download now ( PDF - 5 Page - 358.96 KB )

Related documents

Cloud Security Strategies. Fabio Gianotti, Head of Cyber Security and Enterprise Security Systems

service level for business • Business Continuity • Training & Awareness Governance Data Infrastructure Platform & Software Integration Cloud Security Strategy

Belgian fisheries: ten decades, seven seas, forty species: Historical time-series to reconstruct landings, catches, fleet and fishing areas from 1900

Special attention is given in Chapter 7, to the exceptional situation of sea fisheries in Belgium during the Second World War WWII (1939-1945) when unusually high landings of

HIPAA ephi Security Guidance for Researchers

development,  implementation,  and  maintenance  of  security  measures  to  protect  electronic  protected  health  information  and  to  manage  the  conduct  of 

The George Washington University Hospital

received by UHS and includes, but is not limited to, Protected Health Information (“PHI”), Electronic Protected Health Information (“ePHI”), other patient

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

Training - Training persons in the Workforce who are likely to obtain access to Protected Health Information or electronic Protected Health Information on the Health Plan’s policies

Persuasive Gaming: Identifying the different types of persuasion through games

As part of this model, I describe seven persuasive dimensions related to the first two levels of persuasion (the signs and the system) that could be used to implement

HIPAA Compliance and PrintFleet Software Applications

This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health

A Design of Web-based Social Business Solution Architecture

This paper proposed a The web-based Social Business Solution Architecture based on component based development as a software development methodology to