Risk
11/29/2010
10:39 AM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Breach Highlights Need For More Security Insight

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.According to a post filed at DataBreaches.net, the Puerto Rico Department of Health reported a security breach to Health and Human Services (HHS) that involved managed care firm Triple-S Management and an independent licensee of the Blue Cross and Blue Shield Association in Puerto Rico. The breach affected the protected health information, such as name, address, diagnosis, procedures, and other information on 400,000 patients.

Triple-S Management's 10-Q filing [.pdf] explains how the breach occurred:

Our investigation has revealed that the security breaches were the result of unauthorized use of one or more active user IDs and passwords specific to the TCI IPA database, and not the result of breaches of TSS's or the Corporation's system security features. We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs. We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs. We have taken measures to strengthen the TCI server security and credentials management procedures, and are conducting an assessment of our system-wide data and facility security to prevent the occurrence of a similar incident in the future.

Yet another classic lesson on how important good identity and access management hygiene is. It's an old problem, and the remedy has been repeated many times: maintain tight control over user access rights, and when users change jobs or responsibilities make certain their electronic credentials change with the times.

While that will solve many problems that relate to similar breaches as these, the practice won't solve all of them, such as when insiders who have appropriate rights for their jobs - and then abuse those rights. That could had of been the case here, but it's not possible to tell form the information available. However, had security event and access information been correlated, it's makes it much lot easier to be able to spot abuses by insiders. If access information is correlated with a security event monitoring, for example, security managers can then spot troubling trends. They could include users accessing more information than usual, or perhaps from systems other than work. Such data doesn't tell one what the intent of the user may be, but it does suggest further investigation is advisable. And that just may be enough to stop such incidents from happening as often as they do.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio