What We Should Learn from Cases Like Banner Health

August 05, 2016

Just two days ago, on August 3rd, 2016, Banner Health announced that it was the victim of a sophisticated data breach involving the loss of both Payment Card Information and Personal Health Information (PHI). Banner Health is one of the largest nonprofit health care systems in the country. Located in Arizona, Banner owns and operates hospitals, clinics, and home care and hospice services in Alaska, Arizona, California, Colorado, Nebraska, Nevada and Wyoming.

See also: Security Starts at the Top

Banner released a statement on the data breach that revealed some of the details about the data the hackers gained access to, but little in the way of the hackers methodology. From the statement its clear that the hackers were able to access payment card information, as well as patient health information and even physician’s personal information. Banner is alerting 3.7 million patients, health plan members and beneficiaries, food and beverage customers and physicians and healthcare providers that their information was subjected to the cyber attack. Whether that is the total count of victims is yet to be seen.

While Banner did not explicitly state that the hackers were able to piggyback from the the POS system into other systems in order to gain access to patient’s PHI, its not a stretch to come to this conclusion. We’ve seen similar piggybacking schemes in recent history. Such as the Target and Home Depot breaches, in which hackers were able to enter one system, then patiently move through other systems until they gained access to the data they valued.

In the case of Target, the origination of the data breach was an HVAC vendor, which some may have considered low risk. From the Banner statement, it appears that the breach came through the POS system, which would likely be considered by most to be a high risk vendor. The provider of the Banner POS system was also not named in the statement.

Third party vendors, particularly POS vendors, make very appealing targets for hackers who seek to gain access to large organizations. The recent Verizon Data Breach Investigations Report revealed that ninety-seven percent of breaches featuring use of stolen credentials involved a partner.

One of the challenges that CIOs face is that its very difficult to understand every risk inherent with every vendor. Not only that, but they also need to understand the risks that exist once a vendor is hacked, meaning once the hackers are inside your walls, where is the low hanging fruit? Which systems are connected? And what will be the hackers path to the information they value?

Hackers are becoming more sophisticated and patient. Many breaches are not quick hit and runs. Hackers can take months planning and executing to breach the initial system, and then many more months to quietly navigate to the data they are seeking. CIOs need to understand the connections. They need to understand the external threat vectors, as well as the internal threat vectors that arise after the initial breach. It can be a real challenge balancing security with the functionality and ease of use needed for business operations.

Tools such as Whistic are making it easier to understand the risks of vendors based on the vendors internal security controls, as well as the vendors access point to the primary companies internal systems.

About Whistic

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit: https://www.whistic.com.

cybersecurity security Article healthcare hippa

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.