Risk
11/29/2010
10:39 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Healthcare Breach Highlights Need For More Security Insight

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.

Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.According to a post filed at DataBreaches.net, the Puerto Rico Department of Health reported a security breach to Health and Human Services (HHS) that involved managed care firm Triple-S Management and an independent licensee of the Blue Cross and Blue Shield Association in Puerto Rico. The breach affected the protected health information, such as name, address, diagnosis, procedures, and other information on 400,000 patients.

Triple-S Management's 10-Q filing [.pdf] explains how the breach occurred:

Our investigation has revealed that the security breaches were the result of unauthorized use of one or more active user IDs and passwords specific to the TCI IPA database, and not the result of breaches of TSS's or the Corporation's system security features. We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs. We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs. We have taken measures to strengthen the TCI server security and credentials management procedures, and are conducting an assessment of our system-wide data and facility security to prevent the occurrence of a similar incident in the future.

Yet another classic lesson on how important good identity and access management hygiene is. It's an old problem, and the remedy has been repeated many times: maintain tight control over user access rights, and when users change jobs or responsibilities make certain their electronic credentials change with the times.

While that will solve many problems that relate to similar breaches as these, the practice won't solve all of them, such as when insiders who have appropriate rights for their jobs - and then abuse those rights. That could had of been the case here, but it's not possible to tell form the information available. However, had security event and access information been correlated, it's makes it much lot easier to be able to spot abuses by insiders. If access information is correlated with a security event monitoring, for example, security managers can then spot troubling trends. They could include users accessing more information than usual, or perhaps from systems other than work. Such data doesn't tell one what the intent of the user may be, but it does suggest further investigation is advisable. And that just may be enough to stop such incidents from happening as often as they do.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2977
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors.

CVE-2015-2978
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."

CVE-2015-2979
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

CVE-2015-4286
Published: 2015-07-29
The web framework in Cisco UCS Central Software 1.3(0.99) allows remote attackers to read arbitrary files via a crafted HTTP request, aka Bug ID CSCuu41377.

CVE-2015-4290
Published: 2015-07-29
The kernel extension in Cisco AnyConnect Secure Mobility Client 4.0(2049) on OS X allows local users to cause a denial of service (panic) via vectors involving contiguous memory locations, aka Bug ID CSCut12255.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!