Risk
11/29/2010
10:39 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Healthcare Breach Highlights Need For More Security Insight

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.According to a post filed at DataBreaches.net, the Puerto Rico Department of Health reported a security breach to Health and Human Services (HHS) that involved managed care firm Triple-S Management and an independent licensee of the Blue Cross and Blue Shield Association in Puerto Rico. The breach affected the protected health information, such as name, address, diagnosis, procedures, and other information on 400,000 patients.

Triple-S Management's 10-Q filing [.pdf] explains how the breach occurred:

Our investigation has revealed that the security breaches were the result of unauthorized use of one or more active user IDs and passwords specific to the TCI IPA database, and not the result of breaches of TSS's or the Corporation's system security features. We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs. We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs. We have taken measures to strengthen the TCI server security and credentials management procedures, and are conducting an assessment of our system-wide data and facility security to prevent the occurrence of a similar incident in the future.

Yet another classic lesson on how important good identity and access management hygiene is. It's an old problem, and the remedy has been repeated many times: maintain tight control over user access rights, and when users change jobs or responsibilities make certain their electronic credentials change with the times.

While that will solve many problems that relate to similar breaches as these, the practice won't solve all of them, such as when insiders who have appropriate rights for their jobs - and then abuse those rights. That could had of been the case here, but it's not possible to tell form the information available. However, had security event and access information been correlated, it's makes it much lot easier to be able to spot abuses by insiders. If access information is correlated with a security event monitoring, for example, security managers can then spot troubling trends. They could include users accessing more information than usual, or perhaps from systems other than work. Such data doesn't tell one what the intent of the user may be, but it does suggest further investigation is advisable. And that just may be enough to stop such incidents from happening as often as they do.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0750
Published: 2015-05-22
The administrative web interface in Cisco Hosted Collaboration Solution (HCS) 10.6(1) and earlier allows remote authenticated users to execute arbitrary commands via crafted input to unspecified fields, aka Bug ID CSCut02786.

CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.