Soon after CareFirst BlueCross BlueShield, based in Baltimore, MD, announced that the company had been the target of a sophisticated cyberattack, clues started arising to suggest that the same attack methods might have been used in this intrusion as with breaches at Anthem and Premera. Those incidents collectively involved data on more than 90 million Americans.
In those cyberattacks, security experts suspected the culprits were supported by China.
CareFirst announced that that the attackers gained limited, unauthorized access to a single CareFirst database. Approximately 1.1 million current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014, were affected by the breach.
The breach was discovered as a part of the company’s ongoing information technology (IT) security efforts in the wake of recent cyberattacks on health insurers. CareFirst engaged Alexandria, VA-based Mandiant, one of the world’s leading cybersecurity firms, to conduct an end-to-end examination of its IT environment. This review included multiple, comprehensive scans of the CareFirst’s IT systems for any evidence of a cyberattack.
The review determined that in June 2014, cyberattackers gained access to a single database in which CareFirst stores data that members and other individuals enter to access CareFirst’s websites and online services. Mandiant completed its review and found no indication of any other prior or subsequent attack or evidence that other personal information was accessed, CareFirst reported.
The CareFirst attack suggests that hospitals and health systems are threatened by a much more challenging foe than the casual hacker. Security researchers at cybersecurity firm ThreatConnect in Arlington, VA, reported recently that the CareFirst attack has the hallmarks of the same scheme from China that was successful with other healthcare companies.
ThreatConnect explains the Chinese attacks in this way: Anthem was breached soon after a malware campaign that mimicked Anthem’s domain names. Anthem was known as Wellpoint through 2014, and the ThreatConnect researchers found a series of subdomains for we11point.com (the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point.com and hrsolutions.we11point.com.
ThreatConnect also found that the domains were registered in April 2014, when the Anthem database was breached. The domains were used with malware that masqueraded as a type of software commonly used to allow employees remote access to internal networks.
ThreatConnect reports that the same bulk registrant in China that registered phony Premera and Anthem domains in April 2014 also registered two CareFirst look-alike domains — careflrst.com (the “i” replaced with an “L”) and caref1rst.com (the “i” replaced with the number “1”). ThreatConnect says the same tactics were used on EmpireB1ue.com (the “L” replaced with a number “1”). That domain was registered April 11, 2014, the same day as the phony CareFirst domains.
“It is believed that the prennera.com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point.com command and control infrastructure,” ThreatConnect reported in a February 2015 blog post.
Re-evaluate data security
CareFirst reported that evidence suggests the attackers potentially could have acquired user names created by members to access CareFirst’s website, as well as members’ names, birthdates, email addresses, and subscriber identification numbers.
However, CareFirst user names must be used with a member-created password to gain access to underlying member data through CareFirst’s website. The database in question did not include these passwords because they are fully encrypted and stored in a separate system as a safeguard against such attacks. The database accessed by attackers contained no members’ Social Security numbers, medical claims, employment, credit card, or financial information.
“We deeply regret the concern this attack may cause,” said CareFirst President and CEO Chet Burrell. “We are making sure those affected understand the extent of the attack — and what information was and was not affected. Even though the information in question would be of limited use to an attacker, we want to protect our members from any potential use of their information and will be offering free credit monitoring and identity theft protection for those affected for two years.”
The breach confirms a pattern of sophisticated attacks and should prompt compliance officers to re-evaluate their data security, says Ken Westin, senior security analyst with Tripwire, a software security firm in Portland, OR.
“Unfortunately, our predictions regarding the healthcare industry becoming a major target are being played out. Both insurance and provider organizations are becoming targets by criminal groups because the data stored on these systems has become more significantly valuable over time as criminal syndicates have found ways to monetize it,” Westin says. “In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that will be coming at them. It’s no surprise that several organizations have been targeted and compromised.”
One defense against the type of attacks attributed to China is segmentation of information, suggests Marcin Kleczynski, CEO of Malwarebytes, an anti-malware software provider in San Jose, CA. The strategy is that if you don’t keep all your data in one place, you aren’t likely to lose as much if one part of your system is breached.
“Segmentation of information is the name of the game in our modern threat landscape,” he says. “Attackers are constantly increasing their ability to compromise secure networks, be it through new technologies or old-fashioned social engineering. If you treat a breach less like an ‘it-won’t-happen-to-me’ scenario in favor of a stance that expects the breach to happen, you can help those who are charged with securing the information make a more effective battle plan.”
CareFirst appears to have used segmentation successfully, Kleczynski says. One database was compromised, but it didn’t include all information needed to access secure information, which limited its value.
“Think of the segmentation of secure information, such as login credentials, as the kind of safeguards a gun owner might employ,” he says. “The gun is kept in one place and the bullets in another, both secured. In this case, the attackers were able to access the gun but were unable to find the bullets.”
Kleczynski sees similarities with the computer breach at JPMorgan Chase in 2014, the largest intrusion of an American bank to date. Cyber attackers compromised information for 76 million households and seven million small businesses in the bank’s databases. It took the bank’s security team more than two months to detect and stop the intrusion. The Chase breach was similar in that, while the thieves managed to steal a large amount of data, the most valuable information was held in a deeper and more secure part of the network, Kleczynski says. This situation is similar to how a bank or museum would provide increased protection according to the relative value of different items, he notes.
“The CareFirst attack is proof that there are holes in the network that need to be fixed and also a sign that as a society we still have a lot to do in terms of making sure our personal information is kept secure,” Kleczynski says. “At least we can find some solace in the fact that the bad guys were unable to get the juicy information.”
Westin concurs and says that the cyberattackers are aware of the strengths and weaknesses of healthcare companies in the United States. Even if they are unlikely to get all the information they seek, they know that they still can access a substantial amount that has value. Also, they know that they can damage the company even without obtaining the most valuable information, he notes.
“As we saw with the recent tidal wave of retail breaches, attackers often take advantage of vulnerabilities that are endemic within an industry through common tools, frameworks, data storage/sharing methods or business processes,” Westin says.