In theory, a smarter internet exists on Web 3.0, sole ownership of digital identities live through self-sovereign identity and distributed services flourish in a decentralized web.
The initiatives will make room for improved security, but no one can accomplish that just yet.
Data flows so easily between entities that securely storing it with each transfer and action is a fool’s errand. Sure, there are companies that are good at protecting data, but those companies are only as strong as the weakest link in their respective supply chains.
Quest Diagnostics and LabCorp’s weakest link, in this case, was their billing collector American Medical Collection Agency (AMCA).
“Frankly, I think this is a hopeless situation,” Avivah Litan, distinguished VP analyst at Gartner, told CIO Dive.
“There are so many backend data aggregators, brokers, service providers and more in between consumers and the companies that directly service them,” Litan said. “Only a radical re-architecting of how consumer data flows and who controls it will make any serious difference to protecting it.”
Web 3.0, self-sovereign identity and a decentralized web are decades away at best, which means breaches will continue, followed by companies atoning their faults by offering free credit monitoring. (AMCA is offering 24 months of credit monitoring for impacted individuals.)
It’s all in a breach
The healthcare industry, accounting for one-third of all potential compromised records, led other industries in cybersecurity breaches in 2018. On average, healthcare organizations allow 36 days to pass between initial intrusions and detection, followed by an additional 10 days to contain it.
AMCA’s unauthorized access went on for about eight months, between August, 2018 and March, 30, 2019. The intrusion impacted AMCA’s customers, including nearly 12 million patients of Quest Diagnostics and almost 8 million of Quest’s rival, LabCorp.
AMCA told the clinical laboratory companies it experienced “potential unauthorized activity” on its web payment page, according to Quest’s latest SEC filing.
The intrusion granted unauthorized access to Quest’s financial information, including credit card numbers and bank account information of patients, as well as medical and other personally identifiable information (PII) like social security numbers.
LabCorp’s compromised data includes first and last name, date of birth, address, phone, date of service, provider and balance information, according to the company’s SEC filing, detailing AMCA’s breach. Unlike Quest, LabCorp “provided no ordered test, laboratory results, or diagnostic information to AMCA,” therefore leaving medical records untouched. LabCorp’s patient social security numbers and other PII are not stored by AMCA, leaving Quest to feel most of the heat.
The AMCA breach just scratches the surface in scale of health insurer Anthem’s 2015 breach, which exposed 80 million members and employees. The breach is believed to be the result of a nation-state attack after the company failed to patch a known vulnerability. Anthem was further criticized for having a slow notification process and having unencrypted PII and health data.
AMCA, however, is undergoing a post-mortem investigation to find where the company went wrong and who gained access.
“Upon receiving information from a security compliance firm that works with credit card companies of a possible security compromise, we conducted an internal review, and then took down our web payments page,” AMCA said in an emailed statement to CIO Dive.
The billing company “migrated our web payments portal services to a third-party vendor” and sought help from other advisors and law enforcement.
But AMCA stops short of calling the cybersecurity incident a breach, instead referring to it as a “potential breach,” according to the statement.
The word “breach” has an unforgiving connotation that makes companies appear irresponsible. Equifax’s breach, two years on, is still impacting the company’s reputation. Most recently, the credit firm received its first outlook downgrade from Moody’s because of the breach.
But unlike Equifax, AMCA’s “potential breach” is having a ripple effect through its healthcare customers.
“It’s a shared responsibility, frankly,” Litan said. Ensuring security is up to par outside of one’s own organization seems like an impossible task, but it’s necessary. “Unfortunately, no one can trust anyone’s security practices without verifying them continuously.”
Even if an ecosystem partner is more or less trustworthy, their security “must be consciously assessed,” Litan said.
Checking the vitals
Compromised medical records further cheapens consumers’ trust in big business to protect data. When healthcare data is added to stolen data, it elevates the stakes for bad actors and their potential victims.
Bad actors could “socially engineer target victims by pretending to be a medical provider, sending an email with lab results which actually has malware inside when the lab results are opened,” said Litan.
Because medical records often include information with access privileges limited to the patient and the doctor, attackers could ask for a ransom or threaten the release of data, Matt Kunkel, CEO at LogicGate, told CIO Dive. Secondary attacks — disguised as ransomware, phishing schemes or identity theft — are more likely, as bad actors can craft more detailed individual profiles of victims.
Medical records give attackers a more intimate picture, something a name and social security number cannot do. Health records can be “used by nation states to actually kill a target victim,” Litan said. The crime could be carried out by disguising dangerous materials in legitimate-looking pharmaceutical packages delivered to patients.
The seriousness of the situation is not lost on Congress, which has heard testimony from a number of breached companies’ executives. Three U.S. senators, including Democrats Bob Menendez and Cory Booker of New Jersey and Mark Warner of Virginia, issued letters of distress to the CEO of Quest Diagnostics.
“While I am heartened to learn that no evidence currently suggests Quest Diagnostics’ systems were breached, I am concerned about your supply chain management, and your third party selection and monitoring process,” Warner wrote. “I would like more information on your vendor selection and due diligence process … given the vulnerability and information security failures of this one.”
Menendez and Booker asked Quest how many times the clinical laboratory conducted a security test “which evaluates both Quest Diagnostics’ systems as well as the systems of any companies it outsources to” during the period of AMCA’s exposure.
Jeff Roth, southeast regional director at security consultancy NCC Group told CIO Dive that, based on the state of commercial and government supply chains, companies need to consider the following:
What is the amount and type of services they outsource? Who is offshore?
How and to what degree are security requirements followed by service providers, business partners and subcontractors?
What is the depth and frequency of supply chain threat and risk analytics?
Does the company have adequate resources to implement an effective agile and effective supply chain cybersecurity program?
Key risk factors in the supply chain include: Increased use of managed services lacking qualification, failure to incorporate a company’s cybersecurity requirements with its vendor, and inadequately fully integrating in the supply chain within a company’s continuous threat monitoring, Roth said.
The same standards a company holds itself to are what they should expect from partners well before a security contract is signed.
With security as a service, companies cannot assume providers will take the reins on every issue; most of the time they just provide a firewall. Followup questions — which services they provide, how often they deploy patches, vulnerability analysis, and finally, how much those services cost — are needed. The same is true of its other vendors.
Before locking in a vendor, companies should have strict requirements in place to ensure the confidentiality of their client data, said Asher de Metz, lead security consultant at Sungard Availability Service, in an email to CIO Dive.
If more AMCA clients come forth with secondary breach impact, questions similar to the senators’ will arise. Did the company require AMCA to provide evidence of pen testing? What its security program data is, Metz asked. “Companies should not blindly trust their partners.”
The senators want to understand how a third party’s fault could impact patients so severely. The intrusion happened inside AMCA, but the fault is shared through its partner ecosystem.
Contract requirements lock in expectations of partners in the supply chain ecosystem. They also enlist a single entity to disclose to shareholders, customers, the public and regulatory agencies, said Roth. Everyone else on the supply chain has a role to play in incident recovery.
“The primary reason for this is to prevent inaccurate or even misleading releases of information or release of information that could hamper criminal and civil investigations,” Roth said.