Mike Baker reports:
Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate.
Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings April 18 last year, according to federal records.
Read more on Seattle Times.
I’m waiting for someone to discuss whether if OCR had been more actively auditing covered entities, the Anthem and Premera breaches would have occurred.
It boils down to the technique the hackers actually used to get into the system.
I work in Information Assurance (IA) and Network Security. I don’t know what these security individuals do all day long at their offices. Three weeks is not a long time at all to try and correct any issues with devices that are on “live networks”. Most you cannot simply make a few changes, reboot and see if they took correctly.
Of course, this doesn’t excuse them for ignoring the security issues in the first place.
The IT shop, or someone in IA should perform regular vulnerability scans for issues concerning patches. It becomes a bit of a mess when your looking for vulnerabilities when scanning against SQL style attacks and avenues. Some of these attacks can be quite aggressive and may take down parts of the network. Sure all vulnerability scanning can be planned and not performed during peak hours. If staff is clueless on how to perform these actions, a 3rd party auditor can come in and perform the scans. Most scan results should provide steps for mitigation or correcting any issues. Also, Google is a power search tool for finding ways to correct any issues – as long as you use reliable sources.
As far as any Auditing agencies involved, I do not know how many different entities total, have to be checked. There are many huge, big and small health care businesses out there. All are probably subject to the same basic compliance testing, and all probably go through some sort of certification. The problem is, schedules are always changing, Audits taking longer, entities were rescheduled or otherwise.
So in a nutshell, if there is a skeletal compliance schedule out there, its probably riddled with holes. Understaffed and potentially undermanned, it tries to rely on 3rd party scans and the “good word of the corporation” that all is well. Many of the “O’s” probably do not realize when they lose a key player who used to keep the compliance up to snuff. They leave, responsibilities shift and some eventually fall through the cracks.
Every dreads audits, they are painful. Though the information is out there, some of the paperwork they use is simply poorly worded and the reasoning why the setting needs to be accomplished should simply be left blank. The reasons are cut and pasted from other online documents and make no sense what so ever. Add in the fact of a staff thats probably underpaid, over worked and stressed. A person in that scenario will probably pick the paperwork up, get through a few steps before the BS meter gets pegged and the book is dropped. Time passes, new issues arise and old ones get noticed by outside entities.
If patch management and software management is not in place and done on a regular basis, this is a big deal. It shows lack of due care and due diligence. If they consider information they are storing on these servers “private” they would be keeping up on what is used and what is not. Any antiquated software should have been removed, or worse case, take the entire server off the network or put protections in place (whitelist/blacklists) to keep unauthorized personnel from even seeing it. Again, if they don’t give a crap about the computers and data around them, they sure as hell don’t care about the customer’s data as well, no matter what hype they come up with in the end.
The bottom line is, the companies that crow “we take the privacy of your information seriously” are only doing so after the fact.After a breach, leak, insider threat or otherwise, they are under the microscope and have to shift their lives out of the social sites and into work once more. Attention to detail has gone to hell in a hand basket over the last 5-10 years. There are some organizations that are still doing it right, and they too may be at risk, due to a simple password reuse by an employee who has elevated rights.
The best part of the report was “Nothing came to our attention to indicate that Premera does not have an adequate security program.”
Here’s one: You found several serious weaknesses. Duh.And that was before they got hacked. That was as priceless a statement as Heartland Payment Systems getting hacked in the middle of their PCI assessment and them passing their assessment as compliant.
Paperwork being in order never stopped a breach. If a federal regulator finds something, you can rest assured that reality is ten times or a hundred times worse.