March 17, 2015

It Happened to Anthem, Could it to You?

Healthcare Security Breaches

On January 29, 2015, Anthem woke up to every healthcare payer’s nightmare.

They discovered that highly sophisticated cyber attackers had gained access to Anthem’s IT systems and stolen member information. The attack had apparently occurred in early December 2014.

Healthcare IT Security

To Anthem’s credit, they were quick to make the information about the attack public, took immediate steps to close off the breach, and they’re actively supporting the FBI’s investigation. But once data is stolen, it’s stolen. If cyber criminals plan to sell or share it, or to use it to commit fraud, they can and they probably will.

And hackers who break in, steal data, and then disappear are just one of the threats that healthcare IT teams have to watch out for. An even stealthier breed of cyber criminal will slip into a network and lurk in the shadows, watching transactions and stealing an even broader range of consumer data. These attacks are becoming less and less detectable by the security tools IT professionals are using — and they’re causing bigger and bigger headaches.

How Can We Make Healthcare IT Systems More Secure?

What can you do about IT system security when you’re not sure what to do about IT system security? Many healthcare organizations simply follow regulatory guidelines for securing applications and systems. This approach may protect an organization from fines, but it won’t necessarily protect them from hackers. That’s because hackers are always a step or two ahead of the latest security strategies. By the time the good guys have caught up with the hackers’ latest form of malfeasance, they’re developing a new one.

The bottom line is that we’ll never eliminate security risks from IT systems. But there’s a key step you can take to protect your healthcare organization from intrusions. It has to do with the people you hire to develop your applications.

If your organization is like most, you regularly contract freelance Java developers to help you deliver applications on time. Outsourcing can be a great strategy for getting quality code at a good price.

But how confident are you that the code your partners deliver will be as secure as possible? Will it introduce “back doors” that hackers can exploit to gain access to your systems and data? Might this code even weaken the security measures you’ve already put in place?

Do your development partners truly understand how a healthcare organization works and what are the best practices, regulatory requirements and specific security measures healthcare organizations need to protect data?

What to Ask Your Next IT Partner

Java development partners may claim they’re “up-to-date on all the latest security concerns and measures.” Don’t just take them at their word. Grill them on the specifics.

For example, here are the top 10 security vulnerabilities we most often see healthcare organizations overlook today:

  1. Injection – embedding untrusted data in software enabling the hostile data to execute unintended commands.

  2. Cross-site scripting – allowing attackers to execute unauthorized scripts in your browser.
  3. Broken authentication and session management – compromising passwords and login credentials letting others assume your identity.
  4. Insecure direct object references – leading to unauthorized access to private data and internal code.
  5. Cross-site request forgery – forcing your browser to send “forged” and malicious requests to other sites.
  6. Security misconfiguration – failing to implement appropriate security settings leaving your servers at risk of attack.
  7. Sensitive data exposure – having credit card, tax IDs and other sensitive data unprotected and a target for hackers.
  8. Missing function level access control – causing gaps in security verifications at various levels of the systems architecture.
  9. Using components with vulnerabilities – running software modules at full privileges and increasing the risk data loss or server attack.
  10. Unvalidated redirects and forwards – creating the risk of being redirected to phishing or malware sites.

Healthcare IT Security: An Approach That Works

Threats to your data are many—and complex. Securing your systems is a task that lies far beyond the capabilities of any one developer. It requires a systematic approach from an IT team that uses proven tools and processes to protect systems and data.

That’s why Vicert spent the last decade developing, implementing, and applying best practices for secure software development in the healthcare industry. We know how healthcare organizations work. We know where their biggest security threats lie. And we have a track record of helping healthcare IT organizations go above and beyond regulatory requirements to offer the highest levels of security.

At Vicert, we believe in the value of sharing our knowledge and experiences in articles like this. Don’t miss out.

Author: Dejan Nedic
Like this article? Share it!