News Feature | April 8, 2015

Premera Audit Revealed Vulnerabilities Prior To Hack

Christine Kern

By Christine Kern, contributing writer

Data Breach Cost Of $5.6 Billion Predicted For Healthcare In 2015

The incident should serve as a warning to bolster security and monitoring to prevent attacks.

The recent Premera Blue Cross cyberattack, which may have impacted as many as 11 million customers, may also have been predicted when an audit revealed existing vulnerabilities in the healthcare system’s security protocols. According to Fierce Health IT, Premera had received results of an audit warning of numerous security issues three weeks before it was breached.

The audit was provided by the U.S. Office of Personnel Management's Office of the Inspector General and was performed on April 18, 2014. According to Premera, an investigation revealed an initial malware attack dating to May 5, 2014 which went undetected until January 29, 2015.

Dave Kennedy, chief executive of TrustedSEC and a healthcare security expert, told The New York Times the Premera incident was the largest breach of patient medical information reported to date. Although the recent Anthem breach and the 2014 breach of Community Health Systems each involved larger numbers of records than the Premera attack, those earlier attacks are not believed to have violated medical information.

The audit report details Premera’s lack of thorough network security controls, noting the company’s patches were not being implemented in a timely manner. It further notes there had been no methodology to ensure unsupported out-of-date software is not utilized and it had an insecure server configuration. Significantly, the authors reported a vulnerability scan revealed several servers contained insecure configurations which could allow hackers access to sensitive information.

The audit also revealed that room for improvement on the physical access controls to the Premera’s data center and a lack of compliance with its password policy. Premera’s disaster recovery testing planning methods were also found lacking, an assessment with which the insurer took issue.

In response to the audit, Premera stated that it planned to resolve its security shortcomings by Dec. 31, 2014 but noted some disagreements with the OPM's recommendations. In an interview with The Seattle Times, a spokesperson for the company said the concerns outlined in the audit and the hack were separate issues.

Although the time frame between the audit and the discovery of the hack was short, suggesting Premera might not have had time to adequately respond to fend off the attack, the incident does highlight the need for healthcare to be more vigilant in maintaining and upgrading the security of their systems to fend off likely cyberattacks in the future. The costs of upgrading security now could be a drop in the bucket when compared to the financial implications of a future breach.