Security isn't easy, and with cybercriminals, or at least one specific group, targeting insurance agencies -- it just got tougher for the industry.
The CareFirst breach is the latest in a string of insurance company breaches. Attackers gained access to names, birth dates, email addresses and insurance identification numbers for approximately 1.1 million customers -- all the information that is needed for insurance fraud and identity theft. Although there is no conclusive proof as to who perpetrated this crime, there are indications that the same attack methods used to breach Anthem and Premera were used on CareFirst.
To its credit, even though no credit card information was stolen (or medical records for that matter), CareFirst recognizes that the information that was stolen could be used for identity theft. In a show of commitment to its customers, it is providing credit monitoring services for all customers impacted by the breach. The insurer is also working with law enforcement agencies to help track down the cybercriminals.
Why are we seeing an uptick in insurance breaches lately? In the past, health insurance agencies weren't targeted as frequently as large enterprises and financial institutions. And when health care organizations were targeted, it was typically with ransomware, rather than with stealth attacks. The change in methods and motivations is in part due to cybercriminals realizing that the health insurance industry is vulnerable to attacks, and possesses critical data, such as Social Security numbers, credit card information and other personally identifiable information, that criminals can use for identity theft.
Insurance agencies claim they have made "huge leaps" in securing their environments, but Dr. Larry Poneman, chairman of Ponemon Institute, which studies security breaches in health care, states that they've only taken "small steps" rather than "huge leaps" in safeguarding their systems.
I don't think we can blame the insurance industry for taking "small steps." This isn't unique to the insurance industry, it just happens to be highly visible and possess a lot of sensitive information. When it is breached, it needs to let the world know because personal information is at stake. Other industries are plagued by the same issues. An IDG survey found that less than 1/3 of web, mobile and cloud applications are tested for security -- despite the fact that they are the number one attack vector. This leaves a significant number of applications vulnerable, all because securing all the software a modern business needs in today's digital economy can be expensive and time consuming -- especially if the enterprise is relying on on-premises tools that cannot scale with the business.
Insurers need to think about security in terms of reducing risk. As web applications are the most common attack vector, it makes sense for enterprises to take the first "huge leap" to reducing risk by creating a secure web perimeter. Insurers should also integrate security into the application development process so that the applications they are building are more secure. And after the Community Health breach, insurers also need to think about the components being used to augment their internal development efforts.
Let's hope law enforcement is able to find exactly how this breach occurred and help stop similar breaches in the future. In the meantime, insurance agencies can take fate into their own hands and embark on risk reduction programs.