Risk
11/29/2010
10:39 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Healthcare Breach Highlights Need For More Security Insight

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.According to a post filed at DataBreaches.net, the Puerto Rico Department of Health reported a security breach to Health and Human Services (HHS) that involved managed care firm Triple-S Management and an independent licensee of the Blue Cross and Blue Shield Association in Puerto Rico. The breach affected the protected health information, such as name, address, diagnosis, procedures, and other information on 400,000 patients.

Triple-S Management's 10-Q filing [.pdf] explains how the breach occurred:

Our investigation has revealed that the security breaches were the result of unauthorized use of one or more active user IDs and passwords specific to the TCI IPA database, and not the result of breaches of TSS's or the Corporation's system security features. We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs. We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs. We have taken measures to strengthen the TCI server security and credentials management procedures, and are conducting an assessment of our system-wide data and facility security to prevent the occurrence of a similar incident in the future.

Yet another classic lesson on how important good identity and access management hygiene is. It's an old problem, and the remedy has been repeated many times: maintain tight control over user access rights, and when users change jobs or responsibilities make certain their electronic credentials change with the times.

While that will solve many problems that relate to similar breaches as these, the practice won't solve all of them, such as when insiders who have appropriate rights for their jobs - and then abuse those rights. That could had of been the case here, but it's not possible to tell form the information available. However, had security event and access information been correlated, it's makes it much lot easier to be able to spot abuses by insiders. If access information is correlated with a security event monitoring, for example, security managers can then spot troubling trends. They could include users accessing more information than usual, or perhaps from systems other than work. Such data doesn't tell one what the intent of the user may be, but it does suggest further investigation is advisable. And that just may be enough to stop such incidents from happening as often as they do.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.