Rising Cyber Attacks Costing Health System $6 Billion Annually
http://www.bloomberg.com/news/articles/2015-05-07/rising-cyber-attacks-costing-health-system-6-billion-annually

A rise in cyber attacks against doctors and hospitals is costing the U.S. health-care system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records, security researchers say.

Criminal attacks against health-care providers have more than doubled in the past five years, with the average data breach costing a hospital $2.1 million, according to a study today from the Ponemon Institute, a security research and consulting firm. Nearly 90 percent of health-care providers were hit by breaches in the past two years, half of them criminal in nature, the report found.

While intrusions like ones exposing millions of consumers at health insurer Anthem Inc. and hospital operator Community Health Systems Inc. have increased risk awareness, most of their peers are still unprepared for sophisticated data attacks, security experts have said.

“The health-care industry is being hunted and hacked by the elite financial criminal syndicates that had been targeting large financial institutions until they realized health-care databases are more valuable,”

Thieves can use that information to take out a loan or open up a line of credit in the victim’s name, or for medical identity theft, where the victim’s insurance ID is used by an impostor seeking free medical care.

About half of health-care organizations surveyed by Ponemon said they didn’t have sufficient technology to prevent or quickly detect a breach, or the personnel with the necessary technical expertise.

“The organizations are getting better, but it is a slow-moving train,”

The numbers this year are already in excess of last year’s, after hackers accessed almost 80 million records from Anthem and 11 million from the health insurer Premera Blue Cross.

Data is resold on private forums that specialize in selling stolen credit cards or Social Security numbers, or on the dark web, where users’ identities are hidden and transactions are done anonymously in Bitcoins

Anthem Inc., the Indiana-based health insurer has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients. According to this article, Anthem is citing “company policy” that prohibits third party access to its network in declining to let auditors from OPM’s Office of the Inspector General (OIG) conduct scans for vulnerable systems.

At Anthem: Where There’s Fire, There’s Smoke
https://digitalguardian.com/blog/anthem-where-theres-fire-theres-smoke

After losing 80 million patient records, Anthem Healthcare is refusing to have its network scanned for vulnerabilities by a federal auditor, raising questions about the health insurer’s internal practices.

The saying goes “where there’s smoke, there’s fire.” But in the case of Indiana-based Anthem Inc., you might need to flip that adage around: “where there’s fire, there’s smoke.”

That, after a federal auditor responsible for monitoring health insurers’ information security controls revealed this week that Anthem refused to allow it to scan its network for vulnerabilities, configuration problems and other issues in the wake of the breach.

As reported by Healthcareinfosecurity, the Office of Personnel Management’s (OPM) Office of Inspector General, issued a statement saying that Anthem refused to allow the agency to perform “standard vulnerability scans and configuration compliance tests” this summer, as requested by the OIG. Worse: Anthem refused a similar request in 2013. In each case, Anthem cited “internal policies” that forbid outside access to its network as the reason for refusing to allow the vulnerability scans.

Health insurer Anthem Inc, which earlier this month reported that it was hit by a massive cyberbreach, said on Tuesday that 8.8 million to 18.8 million people who were not its customers could be victims in the attack.

Anthem, the country’s second-largest health insurer, is part of a national network of independently run Blue Cross Blue Shield plans through which BCBS customers can receive medical services when they are in an area where BCBS is operated by a different company.

It is those Blue Cross Blue Shield customers who were potentially affected because their records may be included in the database that was hacked, the company said.

Security experts are warning that healthcare and insurance companies are especially vulnerable to cybercriminals who want to steal personal information to sell on the underground market.

Anthem continued to estimate that tens of millions of customer records were stolen, rather than simply accessed.

Adults aren’t the only ones who can have their identity stolen.

Tens of millions of American children had their Social Security numbers, date of birth and health care ID numbers stolen in the recent data breach at health insurance giant, Anthem Inc. This exposes these kids to the real risk of identity theft.

“Every terrible outcome that can occur as the result of an identity theft will happen to the children who were on that database,” said Adam Levin, chairman and founder of IDentityTheft 911. “Criminals will use those stolen Social Security numbers to open accounts, get medical treatment, commit tax fraud, you name it.”

“This is a watershed event,” Rohrbaugh said. “There is no other bulk acquisition of this much personal data – names, birthdates, addresses and Social Security numbers – that I am aware of in history.”

And because the children’s information was linked to their parents’ data, it will make it much easier for cybercriminals to commit fraud against the parents as well, Rohrbaugh said.

The Social Security number was never supposed to be used as a national identifier, but it’s become that. For an identity thief, that nine-digit number is the brass ring. It’s the skeleton key that unlocks your life.

A child’s number is even more valuable. Here’s why: For most minors, their number is pristine – it’s never been used and is not yet associated with a credit file. That means there’s very little chance that the credit reporting agencies are monitoring it.

So a criminal can take that stolen number, combine it with someone else’s name, address and birth date to create a fake ID

“They will always take the child over the adult,” Abagnale told NBC News. “And the younger the child is the better, because they have longer to use that identity before someone finds out.”

“Now it’s really all about detection,”

The ITRC has prepared A Guide for Parents – Child Identity Theft Indicators

ITRC Fact Sheet 120B
Child Identity Theft Indicators:
A Guide for Parents
http://www.idtheftcenter.org/Fact-Sheets/fs-120b.html

Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers.

The flood of phishing scams was unleashed just hours after Anthem announced publicly that a “very sophisticated cyberattack” on its systems had compromised the Social Security information and other personal details on some 80 million Americans.

According to Anthem, fraudsters also are busy perpetrating similar scams by cold-calling people via telephone.

It is likely that these phishing and phone scams are random and opportunistic, but there is always the possibility that the data stolen from Anthem has fallen into the hands of scam artists.

The company says it will begin sending notifications to affected consumers via snail mail in the coming weeks.

Insurance giant Anthem Inc. suffered a massive data breach exposing the personal information of up to 80 million Americans — and it could have been even worse for consumers.

The hackers didn’t take sensitive medical information on patients or their credit card data, according to the company, even though it was stored alongside Social Security numbers and other personal information that were stolen.

The intrusion is raising fresh questions about the ability of giant health insurers and other medical providers to safeguard the vast troves of electronic medical records and claims data they are stockpiling.

All this comes at a time when Anthem is spearheading an ambitious effort to build a controversial database of medical records on 9 million Californians for use by hospitals and doctors.

The federal government had put Anthem on notice in 2013 about its computer vulnerabilities, and last year the FBI warned healthcare companies about the growing threat of cyberattack on the industry.

The hackers broke into one of Anthem’s databases sometime around early January, according to people familiar with the investigation. An Anthem employee noticed a large query running in the database on Jan. 27 using his log-in information and reported the suspicious activity.

Two days later, an internal investigation verified that the company was a victim of a cyberattack, the company said, and federal authorities were alerted.

The data breach extended across all of Anthem’s business, possibly affecting customers at large employers, individual policyholders and people enrolled in Medicaid managed-care plans. It also involved data on company employees.

Anthem said it has doubled its spending on cybersecurity in the past four years and it has 200 employees dedicated to monitoring and safeguarding its networks.

Consumer advocates said the issue of whether Anthem was largely at fault or the victim of a clever attack misses the point that no healthcare database is safe.

“This thirst for more and more data from the medical industry inevitably places consumers’ health information at risk,” said Carmen Balber, executive director of Consumer Watchdog, a Santa Monica advocacy group. “It’s not fair to consumers for these companies to create one-stop shopping for data thieves.”

This was not the first such slip-up by Anthem.

In 2013, the company agreed to pay $1.7 million to resolve federal allegations that it exposed protected health information of 612,000 people online because of security weaknesses.

“Anthem does not have a very good track record of protecting the information entrusted to them,”

“From dealing with their IT system on the front end as a customer,” Winton said, “my impression is they don’t know what they are doing.”

“Healthcare companies like Anthem have got to invest far more effort and resources in data security to regain public trust,” said Gerald Kominski, director of the UCLA Center for Health Policy Research.

The US health-insurance provider’s own cyberinsurance policy is likely to be exhausted following the theft of up to 80 million records.

The financial consequences of Anthem’s massive data breach could reach beyond the $100 million mark, according to reports.

The US health-insurance provider’s own cyberinsurance policy covers losses of up to $100 million. However, when a company has up to 80 million current customers, former customers, employees and investors to notify, this amount may not be enough.

According to Anthem CEO Joseph Swedish, the data stolen included client names, dates of birth, physical and email addresses, medical IDs and Social Security numbers. However, the company has said, there is no current evidence to suggest financial information or medical data — such as test results — were taken.

According to industry news site Insurance Insider’s sources, Anthem’s cyberinsurance policy — written by AIG, Lexington, Safehold and Zurich, among others — could be exhausted due to the “costs of notifying the affected customers.” Anthem plans to notify every individual affected by the cyberattack and has also provided a hotline for those with question.

Swedish has called the data breach a “very sophisticated external cyberattack.”

Insurance giant Anthem Inc. said Thursday that hackers had access to customer data going back to 2004 as investigations continue into the massive breach.

The nation’s second-largest health insurer disclosed the new time frame as it prepares to offer two years of free identity-theft protection to millions of affected consumers starting Friday.

Anthem announced last week that hackers infiltrated one of its giant databases containing Social Security numbers, birth dates, addresses and other personal information of up to 80 million Americans across the country.

The Indianapolis-based company said its internal investigation was ongoing and it hadn’t yet determined which customers might have been affected.

“We appreciate the identity-protection services being put into place by Anthem, but reviewing the scope and implications of this event will be a long process,”

Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion.

The Wall Street Journal reported last week that security experts involved in the ongoing forensics investigation into the breach say the servers and attack tools used in the attack on Anthem bear the hallmark of a state-sponsored Chinese cyber espionage group known by a number of names, including “Deep Panda,” “Axiom,” Group 72,” and the “Shell_Crew,” to name but a few.

In November 2014, Crowdstrike published a snapshot of a graphic showing the malware and malicious Internet servers used in what security experts at PriceWaterhouseCoopers dubbed the ScanBox Framework, a suite of tools that have been used to launch a number of cyber espionage attacks.

particular address was until very recently the home for a very interesting domain: we11point.com. The third and fourth characters in that domain name are the numeral one, but it appears that whoever registered the domain was attempting to make it look like “Wellpoint,” the former name of Anthem before the company changed its corporate name in late 2014.

We11point[dot]com was registered on April 21, 2014 to a bulk domain registration service in China. Eight minutes later, someone changed the site’s registration records to remove any trace of a connection to China.

“We were able to verify that the evil we11point infrastructure is constructed to masquerade as legitimate Wellpoint infrastructure,” Barger said.

Interestingly, that extcitrix.we11point[dot]com domain, first put online on April 22, 2014, was referenced in a malware scan from a malicious file that someone uploaded to malware scanning service Virustotal.com.

As noted in a story in HealthITSecurity.com, Anthem has been sharing information about the attack with the Health Information Trust Alliance (HITRUST) and the National Health Information Sharing and Analysis Center (NH-ISAC), industry groups whose mission is to disseminate information about cyber threats to the healthcare industry.

But a variety of data points suggest that the same infrastructure used to attack Anthem may have been leveraged against a Reston, Va.-based information technology firm that primarily serves the Department of Defense.

ANALYSIS

Of course, it could well be that this is all a strange coincidence, and/or that the basic information on Deep Panda is flawed. But that seems unlikely given the number of connections and patterns emerging in just this small data set.

It’s remarkable that the security industry so seldom learns from past mistakes. For example, one of the more confounding and long-running problems in the field of malware detection and prevention is the proliferation of varying names for the same threat. We’re seeing this once again with the nicknames assigned to various cyberespionage groups (see the second paragraph of this story for examples).