A serious breach of health records in Utah — the largest health information breach since breach notification become required under HIPAA in 2009 — may have slipped under your radar amid the news of Anonymous’ latest DDoS attacks, the Flashback Trojan infected 600,000 Macs and the Global Payments breach involving as many as 1.5 million credit card numbers.
Last week, the state Department of Health said 24,000 files of claims data from Medicaid clients and Children’s Health Insurance Plan recipients had been stolen, with information including 25,000 Social Security numbers. This week, they revealed the breach, which was bad enough, was much worse than they thought. Information about at least 780,000 patients has been compromised, including 280,000 Social Security numbers.
This is a serious breach. Perhaps “Utah” doesn’t resonate with the same vibe as Anonymous and 10 Downing Street or a credit card payments processor, but we’re looking at the theft of a lot of personally identifiable information, including SSNs, billing codes, physician’s names and tax ID numbers. There’s plenty of good raw material for cyber criminals to attempt to defraud these hundreds of thousands of victims.
The first quick takeaway is don’t make public statements about the extent of a security breach until you have a reasonable handle on it. In fact, the first statements were that 24,000 claims had been stolen. That was an overly hasty statement, revised to 24,000 files including records of 182,000 people. This kind of haste to reassure people, even if well-intentioned, is counter-productive and gives the appearance of being overly concerned with PR and damage control.
State officials were actually relatively forthcoming about how the attackers got in to the compromised server. The Department of Health said that a configuration error in the authentication system of the server gave the attackers the way in. In a statement, officials said this was a failure of normal procedure and that servers have multilayer protection, including “perimeter security, network security, identity management, application security, and data security.”
Of course, these terms can describe a wide range of weak-to-strong security controls; there are layers and then there are layers.Perimeter security can mean “we have a firewall.” Identity management can mean Active Directory and passwords.
The real questions are how strong are the data protection policies and controls? If the remediation is focused entirely on shoring up the lapses that created this particular configuration error, the department may be signing up for the next breach. Among the important questions:
- Is strong authentication in place for individuals and applications appropriate to the sensitivity of the data?
- Does identity management include role-based access control, especially pertaining to privileged accounts?
- Is there granular separation of duties, so that access to systems and data is on need-only basis?
- Do multiple individuals and/or applications share authentication credentials (ouch)?
- Is sensitive data encrypted and are the keys securely managed?
- Is network activity monitoring and data leakage prevention in place to help detect malicious activity on the network?
- How long did the breach go undetected, how was it detected (internally or by third parties, which is typical) and are they sure this was the only server breached?