Better Health Care Data Leak Prevention Through Continuous Endpoint Visibility
On January 29, 2015 a large-scale cyberattack was discovered by Anthem Inc. against their IT and data systems. The health care data leak was believed to have occurred over a several week period starting around early December 2014 and targeted personal data on Anthem’s database infrastructure as well as endpoint systems. The stolen information included dates of birth, full names, health care identification numbers and even social security numbers of customers and Anthem employees. The exact number of people affected by the breach is unknown but it is estimated that nearly 80 million records were stolen. health care data tends to be one of the most lucrative sources of income for hackers selling records on the dark market.
Forbes and others report that attackers used a process-based backdoor on clients connected to Anthem databases in combination with compromised admin accounts and passwords to slowly steal the data. The actions taken by the hackers posing and operating as administrators are what eventually brought the breach to the attention of security and IT teams at Anthem.
This type of attack illustrates the need for continuous endpoint visibility, as endpoint systems are a constant infection vector and an avenue to sensitive data stored on any network they may connect to. Simple things like never-before-seen processes, strange network connections, new user accounts, and unauthorized administrative activity are common calling cards of the onset of a breach and can be easily identified and alerted on given the right monitoring tool. When alerted to these conditions in real-time, Incident Responders can pounce on the intrusion, find patient zero, and hopefully mitigate the damage rather than allowing attackers to roam around the network unnoticed for weeks.