Security experts worry about 'spear phishing' in wake of CareFirst breach

Security experts weighing in on Wednesday's breach of health insurer CareFirst, which impacted 1.1 million current and former customers, said the compromised information could be used for everything from medical identity fraud to future attacks geared toward extracting even more data from victims. What's more, they believe this is only the beginning for breaches of this nature.

Raj Samani, vice president and EMEA (Europe, the Middle East and Africa) chief technology officer for Intel Security, told FierceHealthIT in an exclusive interview that spear phishing attacks could be a high likelihood.

"Consumers may receive an email that knows their name, their date of birth, that knows specific information about them that would lead them to believe that this was a legitimate email. But in this particular case, it may well not be because actually it appears that this is the type of data that's being compromised," Samani said. "This type of data has market value, as well."

Gavin Reid, vice president of threat intelligence for security company Lancope, said the industry and public must view this attack as part of a larger trend; two other BlueCross BlueShield companies--Anthem and Premera--revealed breaches earlier this year in which information for nearly 90 million customers was compromised.

"The medical industry as a whole has got to up its game," Reid said in an interview. "For a long time, everything was on paper, under lock and key in a filing cabinet. We've moved very quickly into the information age, and security and maturity need to be improved. A lot of institutions are playing catch up right now."

Samani echoed Reid's sentiments, saying that the evolution of crime is outpacing protection.

"People aren't robbing banks with guns anymore, they're robbing them with USB sticks," he said. "To become a cybercriminal today requires absolutely no technical knowledge in any way, shape or form. You can go out and buy products or services that would allow you to target anybody you wish.

"Brace yourself," Samani said.

At the College of Healthcare Information Management Executives' spring forum in Chicago last month, Memorial Sloan Kettering CIO Patricia Skarulis highlighted her hospital's efforts to combat spear phishing. The organization relies on two-factor authentication as well as employee awareness.