By now, you’ve probably heard that CareFirst BlueCross BlueShield, serving Maryland and the Washington, D.C., area, has said it was the victim of a malicious cyberattack. The hack, according to the insurer, involved 1.1 million current and former CareFirst members and customers.
Naturally, CareFirst went into damage control, putting up a website with a message to the public, including a video from President and CEO Chet Burrell. And, naturally, security companies came out of the woodwork, offering news outlest such as this one interviews with their executives who want to discuss cyberattack prevention — and, of course, sell more services.
One publicist offered “canned comments” (her words) from Trent Telford, CEO of U.S.-Australian data security firm Covata:
- “The healthcare industry, along with other industries that store customers’ valuable private data, needs to understand that the threat of data breaches is real. We have seen far too many substantial hacks occur within major health organizations in recent months.”
- “We know that cyber criminals are harvesting personal data to sell or use for nefarious acts. Sometimes it isn’t immediately obvious the value of stealing millions of names or addresses. An individual piece of information may not be valuable alone. However, personal data en masse can be extremely valuable when used to execute criminal activity.”
- “If a company holds personal information on behalf of its customers, partners and employees it is its responsibility to encrypt it and remove the inherent value of this data for thieves and malicious actors. It is encouraging in the case of CareFirst BlueCross BlueShield that some of its valuable customer data is safe because it is encrypted. The more companies encrypt their customer data, the less they are going to be targets for attacks.”
- “What this reveals is that encryption in the healthcare industry is no longer a nice to have. In fact, it is a MUST for all businesses that hold sensitive or valuable information within their networks.”
The publicist for Caspida, a Palo Alto, Calif.-based cybersecurity company didn’t call these comments from CEO Muddu Sudhakar “canned,” and they are a bit more specific, but, let’s face it, these are pretty standard-issue:
“First Anthem, then Premera Blue Cross and now CareFirst. There seems to be a trend line of going after heath data. This is a big breach with information affecting 1.1 million subscribers, but fortunately no passwords or SSNs were taken. Health insurance data is typically worth more than credit card records due to the various pieces of information like birth dates, SSNs, and employment information that can facilitate identity theft.
Unfortunately CareFirst is paying a hefty remediation bill. There is a clear lesson for healthcare insurers and providers to protect systems and detect breaches. This breach was initiated around June 2014 – eleven months ago. Bad guys inevitably leave a trail as they move about inside the organization to access sensitive information, and next generation tools that analyze accumulated security data will identify and isolate this sort of problem.
While enterprises need to consider next generation early breach detection tools, a lesson for consumers it to watch your medical statements for potential fraudulent transactions.”
The sad thing is, while these bland recommendations seem obvious, far too many healthcare organizations still don’t encrypt their data.