Insurer Races to Fix Security Flaws After Whistleblower AlertReport: Blue Cross and Blue Shield Minnesota Had Thousands of Old 'Critical' Vulnerabilities
Blue Cross and Blue Shield Minnesota is reportedly racing to address tens of thousands of security vulnerabilities after a whistleblower on the health insurer's security team alerted the company's board of trustees about the problems.
A report in the local newspaper The Star Tribune says BCBS Minnesota is scrambling to boost its security after a cybersecurity engineer at the company warned that about 200,000 vulnerabilities rated as "critical" or "severe" were allowed to linger for years on its computer systems.
The company is working to address as many of the security vulnerabilities as possible by the end of the year, the Star Tribune reports
BCBS Minnesota insures about 2.9 million individuals, including about 1 million outside the state, according to the company's website.
In August 2018, Tom Yardic, a cybersecurity engineer at BCBS Minnesota, met with company executives to point out that "important patches weren't getting done" by the company, the Star Tribune reports.
On Sept. 16 of this year, Yardic emailed the insurer's board of trustees about the problems, "a last ditch effort to push for change," the newspaper reports.
Internal documents obtained by the newspaper show that at its peak, BCBS Minnesota's network had about 200,000 vulnerabilities classified as "critical" or "severe" on roughly 2,000 servers, the Star Tribune reported. At least 89,000 of those vulnerabilities were more than three years old as of the end of last year, and about 24,000 dated to 2010 or earlier, according to the newspaper.
"Minnesota Blue Cross did not dispute the accuracy of the number of past vulnerabilities ... but ... said the current totals are lower - much lower in the case of workstations," the newspaper states.
Neither BCBS Minnesota nor Yardic immediately responded to Information Security Media Group's requests for comment.
Healthcare organizations tend to lag in terms of patching, updates and preventive maintenance, which leads to higher numbers of vulnerabilities, says David Finn, executive vice president at security consultancy CynergisTek, who's a former healthcare CIO.
The reported high number of vulnerabilities at BCBS Minnesota, however, "seems excessive, even for a large organization," he notes.
"In the provider space, there are often many 'excuses' for delaying these types of efforts, but in the payer space, it does seem to be a simple lack of focus on basic IT and security best practice," he says. "I've actually seen servers that hadn't even been rebooted for many years, a pretty clear indication that regular maintenance is not being performed."
"Information is the most critical asset in healthcare today, and to keep it on systems that are not up to date and protected is negligent."
—David Finn, CynergisTek
Servers running critical systems often have no scheduled downtime, so they fall behind in terms of normal upkeep, he says.
"Often this kind of maintenance falls to IT and not security, but security is reliant on keeping things current," he says. "So if the disconnect is between IT and security, that may indicate an even bigger organizational issue."
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals does not show any incidents reported by BCBS Minnesota since HHS began keeping its public tally in 2009.
But three of the five largest breaches posted on the HHS website were reported in 2015 by health insurers. That includes the largest of all health data breaches - a cyberattack on Anthem Inc. that affected nearly 79 million individuals.
So, are insurers a bigger target for hackers than other organizations in the healthcare sector?
"The data and the value of that data is the same whether it comes from a payer or a provider," Finn says. "The payers aggregate data from multiple providers, so they tend to have even more of that highly valuable data in a one-stop shopping situation. The bad guys ... seek the easiest entrance. If you are running known vulnerabilities, the bad guys will find them and exploit them."
Finn predicts other whistleblowers will emerge to expose security vulnerabilities at healthcare organizations. "Security people in any sector can get pretty frustrated, and in healthcare I think we run close to the boiling point," he says.
Businesses that fail to address security "invite whistleblowers," he adds. "The whistleblowers are usually trying to do the right thing. No one will ever be able to fix everything all at once. We need to do the work. Patching does take time, but typically doesn't cost money - and it isn't just IT's time or security's time. The business has to determine those windows to minimize business or clinical impact."
So, what can organizations do to address their security vulnerabilities faster and effectively, before problems pile up and a serious breach or other incident happens?
"It is pretty simple, actually: We have these things called best practices in IT - and don't get me wrong, there will always be exceptions, but we have to do the work," Finn says.
"Information is the most critical asset in healthcare today, and to keep it on systems that are not up to date and protected is negligent, in my opinion."