[BreachExchange] Insurer Races to Fix Security Flaws After Whistleblower Alert

Destry Winant destry at riskbasedsecurity.com
Tue Dec 17 09:21:12 EST 2019


Blue Cross and Blue Shield Minnesota is reportedly racing to address
tens of thousands of security vulnerabilities after a whistleblower on
the health insurer's security team alerted the company's board of
trustees about the problems.

A report in the local newspaper The Star Tribune says BCBS Minnesota
is scrambling to boost its security after a cybersecurity engineer at
the company warned that about 200,000 vulnerabilities rated as
"critical" or "severe" were allowed to linger for years on its
computer systems.

The company is working to address as many of the security
vulnerabilities as possible by the end of the year, the Star Tribune

BCBS Minnesota insures about 2.9 million individuals, including about
1 million outside the state, according to the company's website.

Mounting Problems?

In August 2018, Tom Yardic, a cybersecurity engineer at BCBS
Minnesota, met with company executives to point out that "important
patches weren't getting done" by the company, the Star Tribune

On Sept. 16 of this year, Yardic emailed the insurer's board of
trustees about the problems, "a last ditch effort to push for change,"
the newspaper reports.

Internal documents obtained by the newspaper show that at its peak,
BCBS Minnesota's network had about 200,000 vulnerabilities classified
as "critical" or "severe" on roughly 2,000 servers, the Star Tribune
reported. At least 89,000 of those vulnerabilities were more than
three years old as of the end of last year, and about 24,000 dated to
2010 or earlier, according to the newspaper.

"Minnesota Blue Cross did not dispute the accuracy of the number of
past vulnerabilities ... but ... said the current totals are lower -
much lower in the case of workstations," the newspaper states.

Neither BCBS Minnesota nor Yardic immediately responded to Information
Security Media Group's requests for comment.

Common Problems

Healthcare organizations tend to lag in terms of patching, updates and
preventive maintenance, which leads to higher numbers of
vulnerabilities, says David Finn, executive adviser at security
consultancy CynergisTek, who's a former healthcare CIO.

The reported high number of vulnerabilities at BCBS Minnesota,
however, "seems excessive, even for a large organization," he notes.

"In the provider space, there are often many 'excuses' for delaying
these types of efforts, but in the payer space, it does seem to be a
simple lack of focus on basic IT and security best practice," he says.
"I've actually seen servers that hadn't even been rebooted for many
years, a pretty clear indication that regular maintenance is not being

"Information is the most critical asset in healthcare today, and to
keep it on systems that are not up to date and protected is
—David Finn, CynergisTek

Servers running critical systems often have no scheduled downtime, so
they fall behind in terms of normal upkeep, he says.

"Often this kind of maintenance falls to IT and not security, but
security is reliant on keeping things current," he says. "So if the
disconnect is between IT and security, that may indicate an even
bigger organizational issue."

No Breaches?

The Department of Health and Human Services' HIPAA Breach Reporting
Tool website listing health data breaches impacting 500 or more
individuals does not show any incidents reported by BCBS Minnesota
since HHS began keeping its public tally in 2009.

But three of the five largest breaches posted on the HHS website were
reported in 2015 by health insurers. That includes the largest of all
health data breaches - a cyberattack on Anthem Inc. that affected
nearly 79 million individuals.

Other major health insurer breaches affected Premera Blue Cross,
exposing data on 11 million individuals, and Excellus BlueCross
BlueShield, impacting 10 million individuals.

So, are insurers a bigger target for hackers than other organizations
in the healthcare sector?

"The data and the value of that data is the same whether it comes from
a payer or a provider," Finn says. "The payers aggregate data from
multiple providers, so they tend to have even more of that highly
valuable data in a one-stop shopping situation. The bad guys ... seek
the easiest entrance. If you are running known vulnerabilities, the
bad guys will find them and exploit them."

Insider Frustrations

Finn predicts other whistleblowers will emerge to expose security
vulnerabilities at healthcare organizations. "Security people in any
sector can get pretty frustrated, and in healthcare I think we run
close to the boiling point," he says.

Businesses that fail to address security "invite whistleblowers," he
adds. "The whistleblowers are usually trying to do the right thing. No
one will ever be able to fix everything all at once. We need to do the
work. Patching does take time, but typically doesn't cost money - and
it isn't just IT's time or security's time. The business has to
determine those windows to minimize business or clinical impact."

So, what can organizations do to address their security
vulnerabilities faster and effectively, before problems pile up and a
serious breach or other incident happens?

"It is pretty simple, actually: We have these things called best
practices in IT - and don't get me wrong, there will always be
exceptions, but we have to do the work," Finn says.

"Information is the most critical asset in healthcare today, and to
keep it on systems that are not up to date and protected is negligent,
in my opinion."

More information about the BreachExchange mailing list