Anthem Hack, Cracked Failed SIEM Deployment Jolts Industry Today, with so much finger-pointing and talk about Anthem Blue Cross, security failures, who s doing what and who s getting hacked, one of the most important security matters seem clearly to escape the executives with the most skin-in-thegame. The question of course is Quis custodiet ipsos custodes? or, translated from Latin: Who s guarding the guards. This paper presents the case for an effective, properly deployed and administered Security Information Event Management (SIEM) system with supporting processes that mandates event notification escalation. So, "Who s guarding the guards? My close friend Eric N. (CISSP/Security Expert of a nondisclosed enterprise healthcare company) has always asked and said this is the challenge that needs to be addressed and then, readdressed regularly. Concerning Anthem, it is very odd that a DBA would be making application inquiries on sensitive ephi, but it s even odder that a basic SIEM system would have failed to catch this anomaly in the 1 st place. Rather, the SIEM administration is what seemed to fail because if it was properly deployed and they administered the system correctly, the event notification escalation would have protected Anthem for what is now known as the largest HIPAA related date breach in history. Synopsis: The correct SIEM deployment would have guaranteed that more than one set of eyes would have been notified the moment the suspicious activity began. Thus, the proper administration of a SIEM system as found with US ProSIEM would have / could have prevented the Anthem Blue Cross security breach said Jonathan Goetsch, CEO of Las Vegas, Nevada based US ProTech, Inc. "But it also clearly shows that there are folks trying to profit from exploiting and breaching the data." US ProTech found that Internet-connected devices from data bases and billing systems to dialysis machines and the Claims Department -- are getting hammered by malicious attacks. The Report, which measured malicious traffic at healthcare organizations during a one-month period last fall, found almost 50,000 unique attacks across more than 700 devices, with some 375 organizations compromised. The compromised devices ranged from radiology imaging software and Web cameras to firewalls and mail servers, just to name a few.
Virtual private networks were among the most compromised system, accounting for more than 30% of all compromised connected endpoints. Hacked documents detailed one hospital's login, passwords Illustrating the extent of the problem, engineers have cited a network administrator-authored document posted on hacker website 4shared.com that contained password, user ID, firewall login and other systems configuration information from the person's employer, an East Coast hospital. "When a security administrator sits down and writes down his passwords in a document like this, that's bad work," Goetsch said. "You don't put it on a PDF on a public-facing machine." To make matters worse, the document revealed that the hospital used one password across multiple systems. The American Hospital Association (AHA) said in a statement that it is actively involved in helping its member institutions bolster their cybersecurity. "As the national hospital association, the AHA's particular expertise in cybersecurity is raising awareness among our member hospitals of the importance of addressing cybersecurity issues, and we encourage member hospitals to adopt appropriate strategies for cyber-risk management and reduction," the group said. As evidence, Chicago-based AHA cited its 2013 Most Wired report, which indicated that more than 90% of its members had met security objectives across 11 key considerations, such as automatic logoff and encryption of laptops and other workstations. Attacks span breadth of healthcare industry in United States Yet more needs to be done, Goetsch said. "We saw attacks emanating across video conferencing, security, VPNs, firewalls and radiological machines that were compromised and used by adversaries for attacks, and because they are compromised, this means the capacity for a breach is wide open. The breach of a healthcare record is the most valuable data on the gray or black market. Almost three times as much as a stolen credit card number, but unlike credit card fraud, this is something that," he said, "the consumer will be directly responsible for addressing and resolving". "Large institutions, self-insured Funds and even smaller medical provider group are in a very bad place right now with respect to the state of their security," Goetsch said. Patient health can also be at risk. It's possible for a hacked diagnostics machine to send erroneous data about a particular person's medical test, for example, or for an infected dialysis machine to operate incorrectly. Overall, healthcare providers received 72% of malicious traffic, with other segments of the industry -- including health plans, pharmaceutical and healthcare business associates -- attracting most of the rest. The study didn't offer solutions, nor did it detail the impact of the attacks it revealed.
Often talked about but not commonly practiced, a lot of this could be avoided by just having a strong username or password policy that uses difficult-to-decipher logins and passwords. There is also an awareness factor. Let's say you buy a camera. It will be shipped straight from Taiwan, and then you plug it into your network. The hackers note this, and they connect to and use that camera, and then they put a back door in, and this is where compliance regulations come in. There are not rules governing cameras or where you plug in your camera. These are very simple policies to follow, but they need to be there and they need to be enforced." US ProTech, which offers persistent threat protection and other security services to enterprises, conducted the probe using its global network of 6 million sensors and next-generation honey pots, which were located in 38 data centers and 20 major Internet exchanges. US ProTech will conduct similar studies examining other industry verticals in the coming months. Protecting Electronic Protected Health Information Health care organizations present a uniquely appealing target for bad actors due to the value of the data typically stored by these organizations. This data includes patient Social Security number, insurance and/or financial account data, birth date, name, billing address, and phone. At the same time, to maintain connection with patients, employees, insurers, and business partners, health care organizations must provide access to an unusually large number of external networks and web applications. This multi-tiered window of exposure makes health care organizations increasingly vulnerable to online attack. Such attacks can result in: Costly data breaches, in terms of both financial and time loss Penalties imposed by the government because government regulations such as HIPAA mandate strict security for access to electronic health care data, the resultant penalties for a breach can be severe Costs for investigation and administration of fraud claims Loss of customer loyalty and brand reputation One US ProTech Solution Today's attackers use advanced methods and tactics that render conventional security solutions typically signature- and policy-based much less effective. Health care organizations need a solution that can keep up with the speed of today's advanced attacks and protect patients' electronic protected health information (ephi). US ProTech is the only threat intelligence solution that enables organizations to quickly and cost-effectively implement truly proactive security that works at the speed of attackers, raising the organization's overall security posture while lowering its risk profile.
Key benefits for health care organizations Assess the risk level of any attempted data record access in milliseconds Protect against customer account takeover fraud via stolen credentials Block fraudulent account creation Minimize the risk of security-related website downtime Lower the possibility of government-imposed penalties Reduce the risk of security breaches and the associated losses of data, reputation, and revenue, while enhancing the customer experience Key features include: Real-time delivery of fraud and security intelligence data Configurable live IPQ score that enables true risk prioritization Simple, customizable REST API Powerful analytics that provide rich and comprehensive reporting data Geofilter scoring and transaction blocking by geographical attributes Flexible risk categories that let you configure rules and polices unique to your business
So, what is an effective Security Information Event Management (SIEM) system and what processes should be considered as minimum necessary? At US ProTech the answer is comprehensive and addresses every aspect of the issues discussed in the article. We encourage you to seek out a professional and objective advisor who can guide you through the various levels of SIEM system deployment complexity. When comparing solutions you have to consider much more than the total cost of ownership, presence (reputation) within the industry, and levels of support or service agreements. Let us know you re interested and we ll be glad to provide you with a no-obligation consultation.