Excellus Blue Cross/Blue Shield and Lifetime Health is sending letters to subscribers whose personal information may have been exposed in a cyber attack on the area's largest health insurer's IT systems.
The personal data of approximately 10 million individuals may have been compromised. The attack exposed information such as birth dates, social security numbers, and in some cases, personal medical information.
The FBI is investigating what is likely the largest data security breach in local history.
Click on the listen link at the top of this story to hear an interview with Andy Meneely, assistant professor of software engineering at RIT, or read the transcript of the interview below.
Beth Adams: Excellus says it discovered on August 5th that hackers had unauthorized access to its database. Why do you think we’re just hearing about this now, more than a month later?
Andy Meneely: It actually makes a lot of sense that we’re hearing about it now. When something like this happens first you need to get in touch with the FBI, you need to get in touch with the security consulting firm, you need to make sure that your system truly is secure before you make an announcement like this. So, holding onto it for a month does make sense. My understanding is, for the last month they’ve been doing a forensic analysis, and they found that the attack has gone back to December, 2013. And so whenever you have that, there’s gonna be an enormous amount of forensics to look at, to determine what actually happened, so that we can prevent this from happening again.
Beth: According to one digital security company, more than 20 percent of data breaches this year have happened in the health care sector. In fact it was because of those attacks Excellus hired that computer security consultant to conduct the forensic assessment that you just mentioned of its IT systems. Why do you think health insurance companies are often the target of these attacks?
Meneely: Well, so the market for data is constantly changing, and so attackers are looking for different things over time. Credit cards were one of the first things that attackers went after 20 years ago. But now they’re looking at other ways of using data about us to make money, to -- for extortion, for blackmail, for whatever it is. So there are certainly are trends in different sectors where security kind of begins to matter a little bit more.
Beth: Are attackers in cases like these often thought to be from overseas, and does that add anything to the equation here?
Meneely: Attribution is really, really hard in computing. And so it is, actually, very easy to mask where you come from, especially if, in this case Excellus, the attackers were given root access to the machines, and so they actually had the ability to wipe away their tracks if they were good enough. Or even lay down tracks that looked like it was a foreign nation or something, so, I’m hesitant to say that it could have been another country, and certainly, if I was an attacker-- because that’s the media narrative, I might put that in that in there. Attribution is just really hard, in security.
Beth: What should companies be thinking about to stay up to date with technology, to protect their database and their customers’ information? We’ve heard as we’ve mentioned that the forensic company was hired from the outside to be looking at this. Should those people be on staff at companies that are large enough and vulnerable enough to these kinds of attacks.
Meneely: Absolutely, they should. When I look at this -- look, I actually was -- am likely a victim of this attack, and we look at other attacks on Office of Personnel Management at the Federal Government and various other attacks. When I see all these attacks in general, I see a failure of our workforce to really grasp the needs of security. And I don’t just mean, things like, people like system administrators. I also mean software engineers, computer scientists, even mathematicians need to be thinking about security. So to me what we really have is an education problem. And so I would advise these companies to make sure that when they hire software engineers, when they hire just computing professionals in general, that they need to make sure that they have an understanding of security. RIT has been doing an enormous amount in recent years, to push for this. And we don’t just -- we educate students who actually go work for Mandient –that’s the company that Excellus has working for them, and we have a lot of student who go there, who are experts. But we also need just security-conscious computing employees, who understand the needs as it applies to their own job. Because security really impact everybody, as we’re learning.
Beth: So what do you say to the average non-tech person -- the average consumer, who, like you, might have been vulnerable to having their data stolen in a case like this? Should we be paranoid?
Meneely: I don’t think we should be paranoid. So, I look at vulnerabilities every day. And I will tell you that I look at the specific technical ways that attackers break in, and I’ll tell you that most of the time, it’s actually very simple, and it’s very fixable. As a patient and a customer, I am initially paranoid, and terrified and appalled. But then when I look at this as professional and I look at what these mistakes often are, they’re actually often very fixable. So I don’t think that we will ever truly be secure. I think that we can be a lot more secure. And I think that we will in the coming years. I think when you look nationwide at universities; they are educating students much better in security. To people who were victims of this attack, I gotta tell you as a professor, I’m sorry. We let you down. But we are producing better students, who will go into the workforce and make our systems more secure.
Andy Menelley is assistant professor of software engineering at Rochester Institute of Technology, Rochester, NY.