CareFirst Breach Highlights Continued Challenges In Health-Care Security

The latest victim in a health-care cyberattack has emerged, with CareFirst BlueCross BlueShield reporting Wednesday that it has been hit by an attack that compromised about 1.1 million members.

As part of a Mandiant-led security review, CareFirst found that hackers had gained limited access to a database that is used by members to get access to the company's website and online services, the company said. CareFirst said the hackers gained access to names, birthdates, email addresses and subscriber information, but member password encryption prevented them from gaining access to Social Security numbers, medical claims, employment, credit card and financial data.

CareFirst said it will be notifying those affected by the breach and will provide new member accounts as well as free credit card and identity theft monitoring for two years.

[Related: Vertical Targets: Why Solution Providers, Security Experts Say SLED Market Is At Risk]

Solution providers said the disclosure, which comes on the heels of two other major health-care announcements this year -- at Anthem and Premera Blue Cross in January -- highlights the need for a continued security push in the health-care market.

Sponsored post

"In the past, health organizations could do [security] poorly and maybe they would have trouble on a little regulatory issue here or there, but for the most part they could still skate by," said Mike Gentile, executive vice president of innovation and security at Mission Viejo, Calif.-based Auxilio. "Now, with all the state-funded terrorist attacks and everything that's occurring, these organizations are really having to implement these things, otherwise they're being attacked over and over and over again."

The health-care industry poses a tantalizing target for hackers, with health-care records selling for 10 times the value of credit cards, Tom Patterson, vice president of security solutions at Blue Bell, Pa.-based Unisys, said in an email. For that reason, he said, the health-care industry needs to adopt more advanced security measures, such as micro segmentation and cloaking endpoints.

"Securing an ecosystem like health care with advanced security approaches isn't more expensive, but it is different and requires a more modern mindset," Patterson said. "Yesterday's security defenses don't stop today's security threats. Organizations must fight fire with fire."

Gentile said MSSPs should focus on providing health-care clients with a repeatable program or plan for managing security. First, they have to create a benchmark for security so clients have a framework to guide their employees. Second, they must implement a repeatable process for measuring the environment against that benchmark. Third, they have to identify gaps between where the organization stands and that benchmark, and present change suggestions to management. Finally, they have to help the organization solve those security issues.

The challenge, Gentile said, is that many health-care organization budgets are often not nearly sufficient to fill those needs. However, he said, the recent breaches are causing a "paradigm shift" and bringing increased emphasis to security budgets.

"I would say we're right at the point where they're going to be spending a lot more," Gentile said.