Professionalism/Tom Yardic and Blue Cross Blue Shield of Minnesota

The Blue Cross Blue Shield Association (BCBSA) is a large 501(c)(4) public welfare organization formed under the merger of Blue Cross and Blue Shield in 1982 [1]. BCBSA is an entity composed of 35 distinct health insurance companies in the United States.[1] In 2018 Tom Yardic, a cybersecurity engineer at BCBS of Minnesota, raised internal concerns about critical vulnerabilities discovered on company servers. [2] Over 200,000 critical vulnerabilities were detected, which infiltrated over 2000 separate servers. Some of the earliest threats dated back to 2010, and more than half of them existed for more than three years. [2] This ongoing problem heightened the risk for clients at BCBS of Minnesota. While BCBS of Minnesota is only a chapter of the national BCBSA, they still insure an mighty 3.9 million clients.[3] The insured contracts hold a monetary value of approximately 6 billion dollars. New cloud-based healthcare innovations have emerged in the past few years and increased physicians' efficiency, thus allowing more patients to be served per medical practice.[3] However, vulnerabilities in these systems can lead to potential medical fraud and other leaks.


In September of 2019 his team had still ignored his requests to install software patches. Since BCBS had failed to adequately address the detected vulnerabilities, Yardic escalated the issue by emailing the CEO and Board of Trustees explaining how severe the issue was on September 16th. [2] “I am sending this e-mail because I have been unable to impact the situation within the avenues the organization provides,” wrote Yardic. “What has not happened is a serious attempt to remedy the situation.”[3] Yardic ultimately left BCBS to continue his career as a process improvement consultant, but not before he confirmed the issues would be addressed. In December of 2019 BSBS released a statement from its IT security officer highlighting their dedication to cybersecurity only days before their systems' flaws were made public in local news.[3] The company dedicated time in 2020 to repairing and patching these expansive exposures. Yardic's conduct exemplified professionalism, while also highlighting broader cybersecurity issues occurring within other BCBS entities.[3]

Background InformationEdit

Blue Cross Blue Shield AssociationEdit

 
One of the 35 companies that comprise the BCBSA

The Blue Cross Blue Shield Association is a federation of United States Health Insurance companies that insure a third of all Americans. Its 35 component companies operate on either a state or regional levels, they also vary in their status as either non-profit or for-profit enterprises. The Blue Cross Blue Shield of Minnesota is classified as a single-state, not-for-profit company. [1]

Relevant Cyber Security ConceptsEdit

Vulnerabilities and PatchingEdit

A vulnerability in software terms is a weakness which can be exploited by a cyber attacker to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can come from a multitude of sources and vary in how difficult and time consuming they are to address. Vulnerabilities are addressed through the patching process.

A patch in programming terms is an update that fixes vulnerabilities and other problems within software. While patching seems straightforward, a company must make some considerations beforehand. It can take hours for a company to implement a patch to their software systems, which translates to lost revenue. So in response many companies patch very infrequently to reduce the impact on normal business operations. Patching less frequently has its risks, in a survey of companies affected by data breaches, 60% of them knew about the vulnerability that would go on to become a data breach before it had occurred, but for whatever reason did not patch it beforehand.[4]

PhishingEdit

Phishing attacks come in the form of fabricated emails meant to trick the receiver into giving up sensitive login information, which bad-actors and hostile organizations use to access private data.

Prior BreachesEdit

There are other examples examples of customer information breaches that happened in the U.S. prior to Tom Yardic's professional incident.

EquifaxEdit

In 2017, the credit bureau Equifax back in 2017 had an information breach. The cause of the breach was a third-party software vulnerability that was already patched, however the patch was not implemented on Equifax’s servers, leading to one of the largest cyber-crimes involving identity theft to date, 148 million members were affected. Equifax had been warned 2 months before the breach of the exploit, but still chose not to patch it.[5]


Anthem and Idaho Blue CrossEdit

In 2015, Anthem, another company of the BCBSA from 2015 experienced a breach. The cause of the breach was a phishing attack that allowed hackers to steal a database admin’s login credentials and get access to customer’s private data. The data included name, date of birth, income data and social security numbers, 79 million customers were affected.[6] Similarly, in 2019, at the Idaho Blue Cross, there was a breach also caused by phishing that allowed hackers to gain access to customer data including patient names, account numbers and payment data, 55,000 members were affected.[7]

Related Professionalism CaseEdit

Dan Applegate was the director of product engineering for Convair jet planes. Applegate was aware of safety threats concerning the cargo door latching system, and expressed his concern for the planes safe operation. After management had failed to fix the problem, Applegate did not expose the company's awful decision. Applegate's failure to alert the public about the company's faulty plane permitted a fully boarded plane to crash outside of Paris, which killed 346 passengers on the flight. While aviation and cybersecurity are two seperate industries, both cases demonstrate corporate negligence. An uninvolved professional with unique experience in risk management and control objectives of technology was interviewed to explain the significance of Yardic's case. [8] He explained "Information is the most critical asset in healthcare today, and to keep it on systems that are not up to date and protected is negligent."[8] Yardic's decision to alert executives at BCBSA saved millions of people's sensitive medical data. He exemplified professionalism by putting the safety of others before his career.

Case ResultsEdit

Major results of this case include a new privacy protection law being proposed in Minnesota to prevent future breaches of sensitive data as well as corporate changes within BCBS to strengthen their system against future attacks. The governor of Minnesota, Tim Walz, has proposed that the Minnesota legislature adopt a uniform law on insurance privacy security.[9] This law was written by the National Association of Insurance Commissioners (NAIC) and has currently been adopted by eight states.[9] The goal is to have all states adopt this legislation so that sensitive patient information is protected uniformly across the nation. This law would enable the state Commerce Department to investigate breaches of patient information at insurance companies as well as require that insurance companies notify the state about breaches they find in their systems.[9] The end result will be better protected patient information systems due to increased accountability. Outside of pending legislation, BCBS has taken voluntary steps to improve their system’s integrity to prevent future embarrassing breaches of patient data.[10] This current breach was a result of failure to take the time needed to patch up the system. Now BCBS is dedicating time and resources to patching up those vulnerabilities in the system to prevent another breach, essentially doing what Yardic advised in the first place.[10] This new corporate strategy of taking system security more seriously should help ensure the integrity of sensitive patient data going forward.

ConclusionEdit

In conclusion, it can be seen that Blue Cross Blue Shield of Minnesota was negligent in refusing to patch up their network. They put profits above patient privacy in not dedicating the time and resources to fix the substantial vulnerabilities in their system as identified by Tom Yardic. Although hackers did illegally break into the BCBS system and unlawfully access privileged patient data, it is clear that insurance companies responsible for holding said patient data should be held accountable for its protection. Thus, the proposed law in Minnesota to ensure accountability of insurance companies through government oversight should be passed by the state legislature to reduce the risk of more sensitive patient data being breached. Also, all insurance companies should follow BCBS’s strategy in voluntarily improving their systems by investing more time in patching than they had previously done. Between the new proposed law and internal corporate changes, the state and private insurance companies will work in tandem to prevent future data breaches, thus protecting the privacy of the patients that the companies insure.

Unfortunately, there are many other instances of data breaches outside of the insurance world, some just as damaging as revealing private medical information. Oftentimes, like in the case of BCBS of Minnesota, warning signs are present and employees within the company blow the whistle to higher-ups about vulnerabilities in their system. All too often, these warnings go on deaf ears. Authors of future ethics cases should study similar whistleblowing cases outside the insurance industry, particularly in relation to data breaches. They should investigate the warning signs of vulnerabilities in the system before breaches actually occur and see if the breach should ultimately be found to have been due to the negligence of management and other responsible parties within the breached organization.

ReferencesEdit

  1. a b Blue Cross Blue Shield of Minnesota. (2021). Our story. https://www.bluecrossmn.com/about-us/our-story#:~:text=We%20are%20a%20nonprofit%20Minnesota,the%20lowest%20in%20the%20country.
  2. a b c Steve Alder (2019). Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities. https://www.hipaajournal.com/blue-cross-blue-shield-of-minnesota-starts-correcting-200000-critical-and-severe-vulnerabilities/.
  3. a b c d e Sarah Coble (2019). BBlueCross BlueShield Whistleblower Warns of Cybersecurity. Vulnerabilities. https://www.infosecurity-magazine.com/news/blue-cross-blue-shield/.
  4. Carlson, J. (2019, December 15). Minnesota Blue Cross scrambles to boost cyberdefenses. https://www.startribune.com/minnesota-blue-cross-scrambles-to-boost-cyber-defenses/566184041/?refresh=true
  5. EPIC (2017). Equifax Data Breach. https://epic.org/privacy/data-breach/equifax/
  6. California Department of Insurance (2015). Anthem Data Breach. https://www.insurance.ca.gov/0400-news/0100-press-releases/anthemcyberattack.cfm
  7. Davis, J. (2019, April 16). Hackers Breach Blue Cross of Idaho Provider Portal in Fraud Attempt. https://healthitsecurity.com/news/hackers-breach-blue-cross-of-idaho-provider-portal-in-fraud-attempt
  8. a b Bruce Sussman (2019). Cybersecurity Engineer Turns Whistleblower: What We Know Right Now. https://www.bluecrossmn.com/about-us/our-story#:~:text=We%20are%20a%20nonprofit%20Minnesota,the%20lowest%20in%20the%20country.
  9. a b c Carlson, J. (2019, December 20). New data-privacy law proposed for Minnesota insurers. Star Tribune. https://www.startribune.com/new-data-privacy-law-proposed-for-minnesota-insurers/566383512/
  10. a b McGee, M. (2019, December 16). Insurer Races to Fix Security Flaws After Whistleblower Alert. Bank Info Security. https://www.bankinfosecurity.com/insurer-races-to-fix-security-flaws-after-whistleblower-alert-a-13508