From Beijing with Love: Healthcare Firms Confront Foreign Adversaries

The hack of Anthem suggests that sophisticated, foreign hackers have their sites on healthcare firms.
The hack of Anthem suggests that sophisticated, foreign hackers have their sites on healthcare firms.

In-brief: Reports say that the attack on Anthem health may have roots in China. If so, it would be the latest evidence that sophisticated, overseas hacking crews have turned their attention to healthcare providers. 

The news this week has been all about the hack of Anthem Healthcare, a Indiana-based healthcare provider that is one of the largest in the U.S.

This week Anthem acknowledged that attackers made off with data on some 80 million customers. The incident is being investigated by the FBI, and Anthem says it has hired the firm Mandiant (a division of FireEye) to investigate the breach.

Anthem runs the Blue Cross Blue Shield plans in California, New York and other states. In a statement to customers, Anthem CEO Joseph Swedish said that the attackers gained “unauthorized access to Anthem’s IT system” and made off with “personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.”

So far, Anthem says it doesn’t believe that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised. However, that could change.

The data breach is the largest of 2015, following a year that brought news of more a string of attacks on retail organizations that affected hundreds of millions of consumers in the U.S., Canada and elsewhere. Already, the focus of the investigation is pointing to malicious actors operating out of China.

The Washington Post reported on Thursday that investigators suspect that the attackers who hacked Anthem may have been based in China, and that other healthcare organizations may have been targeted in the attack.

That would fit a pattern of growing attacks and data losses affecting healthcare organizations in recent months. Notably: in 2014, an investigation of a hack at the hospital change Community Health Systems also pointed to hackers operating out of China. That incident resulted in the theft of personal information on 4.5 million Community Health patients.

The reports suggest that healthcare systems are squarely in the target of sophisticated and malicious online actors – the same kinds of hackers who have long been targeting government agencies, financial services firms and defense contractors.

Why? There are many possible explanations. The most obvious is that hospitals are “where the data is.” While information on the outcome of medical tests is of uncertain value, security experts point out that hospitals are super consumers of personally identifying information, from names and addresses to banking and credit card information. That data can be sold on black markets and then used in identity theft scams. Alternatively, it could be used as the foundation for more targeted down-stream phishing attacks on individuals, possibly as part of an APT-like campaign.

That isn’t necessarily news. Plenty of security experts predicted that 2015 would be the year of the healthcare data breach – its true. But it’s important to remember that the same was predicted of 2014. And, in fact, the number of records lost by healthcare organizations has climbed steadily in recent years, according to a survey by The Ponemon Institute.

That said, it is also true that healthcare organizations have not been as focused on what the security industry terms “advanced threats.” Rather, physical theft of IT assets (laptops, tablets, phones), the work of malicious insiders and inadvertent data loss by third parties and others have been top of the list of health data security concerns – and for good reason.

That may need to change. If the (unsubstantiated) reports are true, there may be more to come from the Anthem breach – including the revelation that other healthcare organizations are implicated in the breach. That may force healthcare organizations to reassess their risks, and their risk posture.

Stay tuned. There will be more to come on this.