Healthcare industry, listen up: you're a prime target for cyberattacks. If you don't think so, just ask Anthem – or virtually every IT security expert out there. They're all saying the same thing.
"This should serve as yet another wake up call for those who haven't gotten it yet," said Mac McMillan, co-founder of healthcare security consulting firm CynergisTek. "Healthcare is a target."
Indeed, Anthem has notified 80 million of its members
and employees that their Social Security numbers, dates of birth and personal data were swiped in one of the nation's biggest cyberattacks yet. An outlier, you say? Don't' forget the nearly 42 million people who have had their health data compromised in HIPAA breaches. Or perhaps the whopping 130 million affected by the Heartland Payment Systems breach in 2008. Then there's the Target breach, Community Health Systems Heartbleed attack
, Sony – you see the trend.
But why healthcare?
"Cybercriminals view healthcare organizations as a soft target compared with financial services and retailers," said Lynne Dunbrack
, research vice president of IDC Health Insights
, a health IT research and consulting firm. "Because historically, healthcare organizations have invested less in IT, including security technologies and services than other industries, thus making themselves more vulnerable to successful cyberattacks."
Deep Panda has been described as a "quite sophisticated group," according to a report
by Bloomberg's Mike Riley. But "that can mean a lot of things." And it doesn't necessarily denote Anthem's security was sophisticated. For one, as Riley pointed out, the health insurer did not keep its members Social Security numbers encrypted, citing a difficulty to use that encrypted data. But in the end, "that means it was much easier to steal," he said.
Kevin Johnson, white hat hacker and chief executive officer of the security consulting firm Secure Ideas, also questioned whether the cyberattack was actually "sophisticated," as Anthem's CEO Swedish described. Johnson, who has done extensive work for insurance companies, both as a consultant and as a security admin, said a lot of attacks and breaches he sees have nothing to do with sophistication.
"I have never found an insurance company that required a sophisticated attacking incident," said Johnson. "Period." Although he has not worked with Anthem before, Johnson said they're all very similar in that they have behemoth networks and "tons of systems" that make it challenging from a security perspective.
"Is it impossible to secure a system?" asked Johnson. "Yes, dammit, it's impossible to secure a system 100 percent…but we don't want it secured 100 percent because we want to see who did this," he added. "Your job as the defender is not to keep out every attacker. Your job is to keep out as many as you can, raise the bar and detect them when they come, as fast as possible."