Expert: News of Excellus hack shows healthcare sector better at detecting breaches

When Excellus BlueCross BlueShield announced Wednesday that it had uncovered a cyberattack potentially compromising 10 million member records, the news emphasized the alarming frequency with which such breaches are hitting the healthcare sector.

Indeed, fellow insurers Anthem, Premera Blue Cross and CareFirst all have experienced their own cyberattacks, and provider organizations also are far from immune.

Yet while such hacks have only recently been discovered, many actually occurred years ago and are only now coming to light as healthcare organizations ratchet up their information security efforts, David Damato (pictured right), chief security officer at security and systems management startup Tanium, tells FierceHealthPayer in an exclusive interview.

In fact, Excellus' initial breach first occurred in December 2013, the company has said.

"I think now in the last year or so there's been a lot of awareness raised around the sophistication of some of these more recent attacks--or recently surfaced attacks," says Damato, who led the investigation into the Anthem attack while with the company FireEye. "And these organizations have taken steps to improve their security in order to address some of these challenges."

Damato believes the 2014 cyberattack on Community Health Systems was the turning point for payers and providers starting to understand the daunting threat they now face. "Before then, there wasn't really a sense that a nation-state or a more advanced adversary would target a healthcare organization," he says.

While "no one really has a great answer" as to why healthcare information seems to have become so attractive to hackers, Damato says consensus in the information security industry is that nation-states are interested in healthcare data as a means to aggregate information about "potentially interesting individuals."

Hackers are then able to combine that information with data culled from other cyberattacks, such as the breach that hit the Office of Personnel Management, which in turn allows them to draw conclusions about a person's lifestyle, job or affiliation with the federal government.

After its breach, Excellus' next steps will be to acquire a team of forensic experts and deploy technology to track how the attack played out, Damato says. The company also will likely work very closely with its legal department and a public relations firm to make sure it's taking all the necessary steps to protect and inform consumers, as well as work closely with the FBI as it investigates.

As for preventing attacks at their own organizations, healthcare companies should take two major steps, according to Damato:

  1. Identify the organization's risk, or the data security issue it's most concerned about. For most in the healthcare industry, this will be personal health information, Damato says.
  2. Find ways to surround that sensitive information with the right number of controls that make it difficult to obtain, such as multifactor identification or data encryption. Data encryption alone, however, isn't sufficient, he notes.

Insurers also should avoid storing members' data online past the point that it's absolutely necessary, Mac McMillan, chairman and cofounder of healthcare information security firm CynergisTek Inc., previously told FierceHealthPayer.