Modern Healthcare reported Wednesday that Excellus Blue Cross and Blue Shield, a Rochester, N.Y. based insurer, disclosed on Wednesday afternoon that it was the victim of a sophisticated cyber attack by hackers who may have gained access to over 10 million personal records. David Gibson, VP, Strategy and Market Development, Varonisreacts:
Excellus is currently saying there’s no evidence that the information was “removed.” Who are we kidding here? The hackers were just browsing around for kicks? The reality is that they probably have no idea what happened or what was stolen and never will. This would come as no surprise to anyone, and doesn't sound much different than the major cyber attacks that we have more information on.
In the case of the notorious Anthem data breach, thieves were outsiders who were able to stealthily get a hold of employee credentials to access files. And we'd be willing to bet that's exactly what happened here.
While CIOs and security professionals may feel safe with large investments in firewalls, virus detection and other perimeter defenses, the on-the-ground reality is that today’s hackers continue to get better at their jobs and will easily get around these protections through a virtual side-door without ever being spotted.
To the poor IT admin monitoring a system during a typical breach like this, the hackers’ activities would have appeared as an employee browsing the web.
We might as well be giving bank robbers an employee badge and a keycard to the safe deposit boxes. And in our experience we have found that healthcare, an industry that is responsible for a wealth of sensitive data of various kinds, is surprisingly bad at this. In a study we conducted with the Ponemon Insitute earlier this year, 65% of employees in the health and pharma industries believe they have access to sensitive data they don't need to do their jobs, with 51% believing they see this data at least frequently.
So, the compromise of just a few, or even one, employee account opens a hacker up to a wealth of sensitive information.
It's time for organisations to shift priorities and assume that some of their employees (and even their administrators and executives) will be duped into giving up information (like their password) and/or downloading malicious code. If an attacker steals an employee’s password (and you’re not using multi-factor authentication) then the attacker gets access to wherever they can use the password – any external or public-facing systems or applications where the employee used the same password are easily accessible.