Today’s headlines about the CareFirst BlueCross BlueShield (CareFirst) data breach did not surprise me. Apparently, as many as 1.1 million Washington, D.C. CareFirst members may have had their information accessed in a data breach that occurred about a year ago, in June of 2014. The attackers may have potentially acquired members’ names, birth dates, email addresses and subscriber identification numbers.
CareFirst says that the attackers did not have access to member Social Security numbers, medical claims, employment, credit card or financial information – though their investigation is still ongoing.
As has now become the norm, all affected CareFirst users will be sent letters granting them two years of free credit monitoring and identity theft protection. For most consumers, credit monitoring after a data breach has become as common (and as useful) as the free in-flight soft drink coupons airline passengers used to receive in the 1990s after some large airline antitrust settlement.
Given that CareFirst did not become aware of the break-in until a year or so after-the-fact, critics have already surfaced deriding this as some sort of failure, which is absurd. Noticing a data breach after only a year of its genesis is actually fairly standard, or even better than most data breach discoveries. I would be shocked, amazed and impressed (and highly skeptical) if CareFirst caught the data breach when it happened. Given the sophisticated, clandestine and persistent data breach modus operandi of recent cyber-attacks, catching any cyber-attack when it occurs (or even shortly thereafter) is rare and extraordinarily challenging.
Healthcare Companies are Attractive Data Breach Targets
CareFirst is the third “Blues insurer” to be targeted this past year, in addition to Anthem and Premera. That does not necessarily suggest that data thieves are targeting the Blues brand, but cyber-attackers likely see value in the insurers’ information-rich networks. In addition to the hacking attacks this year on Anthem and Premera Blue Cross, healthcare provider Community Health System was the victim of a hacking attack last August, which resulted in a breach affecting 4.5 million individuals.
Healthcare organizations have always been an attractive target for cyber-attacks, especially given their multiple of data access points, their increased use of third party vendors and the emerging popularity of wearable wellness technology.
Along those lines, Cybersecurity for healthcare organizations has become an enormous challenge. Given the greater aging of the U.S. population and the growing role of technology in their healthcare, healthcare organizations must protect voluminous amounts of sensitive patient data. As more and more patient information is digitized, doctors’ offices, clinics and hospitals simply lack the resources to safeguard properly their patient’s personal health information. While Healthcare organizations are typically well prepared in responding to a crisis involving a terrible accident, an emergency management and disaster response, etc., a data breach crisis presents an altogether different dynamic for which many healthcare organizations are simply not prepared.
The Data Held by Healthcare Companies is Highly Regulated
The confidentiality and sensitivity of personal health information has evolved into a highly regulated and increasingly important area of government concern. This explains why there exist tougher federal reporting requirements for health-care data breaches in recent years, and why we have a better sense of when patient information goes missing or might have been inappropriately accessed by someone.
For instance, the Federal Health Information Technology for Economic and Clinical Health Act (HITECH) increased regulatory oversight, and has more stringent data breach notification obligations related to protected health information (so-called “PHI”). Prior to HITECH, there was no federal requirement to notify patients of a healthcare privacy breach.
Companies storing PHI are scrutinized intensely and their privacy and security protocols must pass muster not only under the HITECH Act but also under the Health Insurance Portability and Accountability Act (HIPAA), which established for the first time a set of national standards for the protection of certain health information.
Given these beefed up regulations pertaining to PHI, healthcare organizations and their business associates have needed to become more diligent about the way they secure and handle PHI. The rule has also resulted in a sizable spike in the number of reported healthcare organization breaches because the new regulations change the criteria; now more data-related incidents are considered breaches requiring notification and disclosure.
Data Thieves Love PHI
Cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations. The Ponemon Institute’s new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published just this month, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That’s a first, since, according to the study, employee or insider negligence — user errors, lost laptops and thumb drives, etc. — accounted for the majority of breaches last year and in years past.
More than 90% of healthcare organizations surveyed by Ponemon have suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.
The Ponemon report also surveyed business partners and associates of healthcare organizations. Nearly 60% of these businesses — patient billing, claims processing, health plan, and cloud services, for example — had been hit by data breaches, 14% of which had suffered two- to five breaches, and 15%, more than five during a two-year period. More than 80% of them were hit by Web-based malware attacks.
These healthcare data breaches are far more serious than other retail store breaches, because while you can cancel a credit card, not so much with your date of birth, medical diagnosis or other PHI.
In fact, black market prices for PHI are far higher for PHI versus a credit card number. Some experts claim that a single patient’s medical record is worth $50 on the black market — much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother’s maiden name ($6).
Medical identity theft can have dire financial and medical consequences — and not just bad credit, lost insurance coverage, mixed-up records and higher premiums. The stress of dealing with a health care data breach is high; polluted medical records caused by a cyber-attack can result in medical identity theft, prescription errors, misdiagnoses, and even mistreatment.
Health care data is a treasure trove for identity thieves — including patient billing, health plans, claims processing and cloud services, which could contain all sorts of information, such as Social Security numbers, insurance IDs, addresses and medical details.
Criminals can use stolen medical data — such as electronic health records or insurance information — to submit false or inflated medical claims, buy prescription medication, or pay for treatment – all at the victim’s expense. Thieves can also use stolen health care information for any kind of identity theft, including medical identity theft, allowing, for example, an imposter to seek free medical care, such as a foreigner involved in criminal activity in the United States or anyone who wants to stay undetected while in hospital. Finally, foreign interests could even use U.S. personal, financial or medical information as leverage to gain intelligence from people who want their information to stay private.
What CareFirst Should be Doing to Respond to the Data Breach
The legal and technical obstacles of any healthcare data breach are complex and costly and (in contrast to credit card companies), health care institutions (and their many vendors) are typically ill equipped and lack the necessary resources for the costly and lengthy incident response following a health care data breach.
So what is the key to CareFirst’s incident response i.e. what should CareFirst be doing right this minute?
Preservation. CareFirst should be collecting and preserving, in a forensically sound and evidentiary unassailable manner, any “electronically stored information” (ESI) that could become relevant to the investigation of the cyber-attack as well as to the response to any subsequent claims or regulatory demands. Hopefully: 1) CareFirst has previously engaged in some sort of data-mapping initiative, which organized their data in a manner allowing for efficient and rapid data preservation and collection with minimal disruption to organizational operations; and 2) CareFirst does not retain customer data for longer than legally required. It’s up to states to determine how long medical records must be retained, but HIPAA requires that covered entities retain documentation required by the law “for six years from the date of its creation or the date when it last was in effect, whichever is later.” As class action lawyers will attest, keeping customer data longer than required creates more risk to the customer than is necessary, yet provides little benefit.
Logging Analysis. Given the exponential increase in the technological interphase between CareFirst and its members, CareFirst likely has strong logging capabilities and warehousing. In addition to logs of its user’s systems (like laptop and desktop computers), servers, etc., CareFirst’s logs of firewalls, intrusion detection systems and other programs will also require preservation and investigation. Exactly what logs are available relating to a cyber-attack depends on CareFirst’s overall cybersecurity policies and practices. Logging information can include logs relating to events occurring within firewalls, operating systems, applications, anti-virus software, LANDesk, web servers, web proxies, virtual private networks, change auditors, dynamic host configuration protocol and a broad range of other audit files. If CareFirst maintains log analytical programs such as SIM/SEM (“Security Incident Management” or “Security Event Management”) solutions for reviewing logs, CareFirst will still require human expertise and intuition to identify and understand what is gleaned from those log files.
Digital Forensics Analysis. As CareFirst identifies any possible indicator of compromise (IOC), investigators should examine network traffic and logs, in addition to scanning system hosts (such as laptops, desktops and servers) for these IOCs. When this effort reveals additional systems that may have been infiltrated, investigators can then forensically image and analyze those systems, and the process repeats itself. Armed with the information gathered during this “lather, rinse, repeat,” phase, CareFirst can detect additional attempts by an attacker to regain access and begin to contain the attack.
Malware Reverse Engineering. Like the screwdriver a burglar uses to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. CareFirst will find malware-reverse engineering the most challenging and will probably rely on their incident response firm, reportedly Mandiant, for this task. By reverse-engineering any malware, CareFirst can not only determine the possibility of data exfiltration, but they can also better contain the breach and better identify the culprits.
Surveillance. By this time, CareFirst should not only be performing “full packet capture,” (to analyze all traffic passing through a relevant network); but they should also be also establishing “alert warnings,” (to sound alarms when detecting malicious or unauthorized activity). CareFirst’s surveillance will only be as good as the monitoring and follow-up of anomaly and other intrusion alerts.
Remediation. As its investigation progresses, CareFirst must remediate the malware, rebuild compromised systems, reset compromised account credentials, block IP addresses and take other steps to improve security both in the short, and in the long, term. Every data breach provides extraordinary opportunities for refinement and improvement of cybersecurity systems – CareFirst should take steps to seize this opportunity.
EDR Implementation. Typically installed within an entire attack vector including domain controllers, database servers and user workstations, CareFirst should deploy the real-time “intelligence feeding” of a so-called Endpoint Detection and Response (EDR) tool. Mandiant sells its own, called MIR, which is a powerful EDR tool, and about which I will be writing about in a later posting. EDR deployment will improve its ability to detect and respond to outsider and insider threats; enhance its speed and flexibility to contain any future attack or anomaly; and help CareFirst manage data threats more effectively overall.
Exfiltration Analysis. Once CareFirst’s forensic investigators determined that an attacker has exfiltrated any personal identifying information (PII), PHI or any other relevant ESI, such as trade secrets, intellectual property, sensitive email content, etc., CareFirst should begin exfiltration analysis, which essentially becomes an ediscovery exercise to parse, host, review, scrutinize and produce if necessary, any exfiltrated data.
State/Federal Regulatory Compliance. Responding to state and federal inquiries will occupy a lot of CareFirst’s time (and unfortunately) drain critical incident response resources. But such is life in the hot mess of the incident response world, where state and federal privacy laws vary by state jurisdiction, are interpreted unpredictably, and are in a constant state of flux, with some based broadly and others based on industry sector, such as, the litany of regulations covering medical records.
OCR Investigation Preparation and Response. The Office for Civil Rights (OCR) is the Department of Health and Human Services Unit assigned to the investigation and enforcement jurisdiction of HITECH violations. CareFirst should plan for, and expect, an OCR investigation. The OCR investigation will determine if CareFirst was in compliance with HIPAA/HITECH and how the breach occurred – and will assess any necessary penalties or fines. For instance, on March 9, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules. BCBST also agreed to a corrective action plan which includes: reviewing, revising, and maintaining its Privacy and Security policies and procedures; conducting regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA; and performing monitor reviews to ensure BCBST compliance with the plan. The investigation followed a notice submitted by BCBST to HHS in which it was reported that 57 unencrypted computer hard drives containing PHI of over 1 million individuals had been stolen from a leased facility in Tennessee. HIPAA requires health plans to conduct a security risk assessment and also to reassess the adequacy of security controls at least annually and whenever changed circumstances warrant. When a breach triggers an investigation by the HHS Office of Civil Rights, one of the first items requested by OCR will be written documentation of the up-to-date security risk assessment and periodic evaluations. CareFirst’s documentation of its privacy and security rule compliance is critical, as is its compliance with the breach notification rules. The OCR may take several months with several exchanges of information before reaching a conclusion and ultimately determining any fines or penalties against CareFirst.
Consumer Notification/Monitoring Services. In addition to its provision of credit monitoring services, CareFirst’s customer services should include the sending of written notices, identity theft protection and other related services such as setting up a call center, website, hotline and email address. CareFirst has a rich history of care and trust with its customers and will want to make sure that their reputation remains intact. Healthcare data breaches are newsworthy stories, and the media continues with follow-up stories particularly where over a million members are affected. A call center allows patients to ask questions regarding their information and the effect of the breach — and can also sooth first-hand any of their immediate concerns.
Constituency Notifications. In addition to consumer notifications, CareFirst will need to begin a broad range of other important notifications, such as briefings to partners, employees, vendors, affiliates, insurance carriers and a range of other interested/impacted parties. Notification is a continuing obligation and can last for many months after the breach’s detection. Thus, CareFirst’s data breach response team, C-level executives, regulators, employees, shareholders, patients and/or customers, all key stakeholders in the data breach response effort, should be frequently informed of progress and resolution efforts. CareFirst should assign a special team of individuals just for documentation, taking note of conversations with law enforcement and pertinent individuals. Additionally, a team should also be recording CareFirst’s reasoning behind every action taken during the incident response. This “best practice” can prove to be valuable documentation to have on hand when “second guessed” by internal personnel and/or by regulators (an inevitable scenario).
Law Enforcement Liaison. Notwithstanding the unlikelihood of any prosecution of cyber-attack perpetrators, CareFirst will need to liaison with federal law enforcement agencies and provide to each briefings, reports, IOCs, forensic images, malware signatures and other information about a cyber-attack. By this time, CareFirst should have identified which federal authorities, including the US Air Force, Department of Homeland Security, FBI and US Secret Service, for proper liaison and made sure that all personnel on the data breach response team are aware of any law enforcement directives. Overall, CareFirst should be making sure that, when communicating with law enforcement entities, CareFirst is speaking with “one voice,” preferably the leader of its independent data breach expert team, in this instance, reportedly Mandiant.
Public Relations. If public relations are not managed properly, CareFirst could suffer reputation-wrecking media and Capitol Hill attention all amid the untold damage of lost consumer trust and confidence. Unfortunately, unlike the victims of other heinous crimes, CareFirst will not experience sympathy or understanding as a reaction, but will likely be disparaged, maligned and pilloried in the media and questioned intensely by a skeptical and distrusting Congress. Given that many CareFirst customers work for the federal government and live in the impacted Washington, D.C. breach area and that many probably work for Congress (!), government scrutiny from all branches of government seems likely. CareFirst should engage in a transparent and truthful public relations campaign that stresses the independence, wherewithal and expertise of their data breach expert (in this case, reportedly Mandiant).
Legal Services. Just like any other independent and thorough investigation, CareFirst’s work relating to a cyber-attack will involve a team of lawyers with different skillsets and expertise (e.g. regulatory; ediscovery; data breach response; privacy; white collar defense; litigation; law enforcement liaison; and the list goes on). The list of potential civil liabilities for CareFirst is almost endless, including consumer/customer driven class action lawsuits, alleging a failure to adhere to cyber security “best practices.” Anthem is already the subject of multiple class action lawsuits along these lines. Hopefully, CareFirst has made sure that Mandiant and other engaged data breach response firms are retained by outside counsel. This is not done to hide information; rather it helps protect against inaccurate information getting released in an uncontrolled fashion and allows for more careful deliberation and preparation for litigation or government investigation/prosecution, two scenarios more and more likely nowadays.
Other Project Management. CareFirst should be identifying any new initiatives or ongoing projects (like new software or hardware rollouts), which could conflict with the incident response investigation. CareFirst should work with their response team and make sure it is aware of any upcoming business initiatives that may interfere or clash with response efforts, and decide whether to postpone these efforts and for how long, in order to focus on the breach response.
Insurance Documentation and Preparation. Whatever the type of insurance held by CareFirst, an insurance claim will undoubtedly follow, and insurance adjusters will scrutinize all invoices pertaining to the workflow enumerated during the incident response and will require briefings and documentation regarding all investigative efforts. For maximum objectivity, credibility and defensibility, rather than the company itself, Mandiant, the purported independent digital forensic firm investigating the breach, at the direction of counsel, should lead any briefings with insurance carriers. Most importantly, a professional on the incident response team, preferably counsel, should also maintain carefully written documentation of all efforts of the response. This will help later on when gathering the “documentation package” to present to an inquisitive insurance adjuster when seeking an insurance reimbursement for the costs of the breach. Cyber insurance policies typically list a complicated web of conditions, exclusions, and sub-limits for different coverage elements, which CareFirst should analyze. From the get-go, CareFirst should strive to comply with policy requirements, coordinate with its primary and secondary insurers, and protect its rights under the applicable coverages.
Employee Care and Culpability. If employee involvement contributed to the breach, from malicious misconduct to mere mistake, CareFirst must determine what personnel action is warranted, ranging from counseling, to discipline, to termination for egregious conduct. Responsible companies appreciate that data breaches are inevitable and always present a teachable moment for the entire workforce on data security.
Data breach response for healthcare organizations is multifaceted, intense and costly – but if handled correctly and appropriately, can be the kind of successful failure that not only strengthens a company’s cybersecurity infrastructure but also reinforces a company’s commitment to customers, partners and other fiduciaries. Time will tell if this is the case for CareFirst. But personally, I am rooting for them because in addition to being an incident response expert, I am also a CareFirst client who lives in the D.C. area.