informa
4 min read
article

Healthcare Database Breach Brings User Account Management Practices Back Into Focus

User privilege problems plagued Puerto Rico-based managed healthcare provider, other organizations
A recent database breach that exposed the private healthcare records of more than 400,000 Puerto Rican residents yet again shines a stark light on the inadequate access management and account provisioning practices that leave databases exposed at so many organizations today.

The breach occurred this fall through the database systems of Triple-S Management, a Puerto Rico-based managed healthcare company. The account details of more than 400,000 were pored over by employees at a competitor organization, Medical Card System, who had somehow acquired active user ID and password combinations for Triple-S databases in order to gain unauthorized access.

"On September 21, 2010, we learned from a competitor that a specific internet database managed by our subsidiary TCI, containing information pertaining to individuals previously insured by TSS under the Government of Puerto Rico's Health Insurance Plan ("HIP") and to independent practice associations ("IPAs") that provided services to those individuals, had been accessed without authorization by certain of our competitor's employees. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs," Triple-S reported in a third-quarter SEC filing.

Account provisioning and access management problems have long plagued organizations seeking to keep their databases protected from improper and unauthorized access to data by parties such as malicious insiders. Unfortunately, even many organizations that do a good job of utilizing access management tools to provision most of their IT systems fail to include database accounts into that mix due to the complexity of integration and potential performance issues that can crop up as a result.

Provisioning database accounts is a manual practice at best, but usually the management of passwords and accounts is simply nonexistent.

"Problems like using commonly known shared passwords, never changing sensitive passwords, and allowing their employees to have too much access for too long to sensitive data with no accountability is the rule, rather than the exception," says Phil Lieberman, president and CEO of Lieberman Software.

According to a recent survey conducted by Enterprise Strategy Group, 60 percent of organizations scan databases only once per quarter -- or more infrequently -- for anomalies in privileges. So it's no surprise when organizations such as Triple-S are hit by data breaches that don't require complicated hacks, SQL injection attacks, or password-stealing Trojans. Instead, all that's needed is for an ex-employee to keep using the same credentials he has always had and that have not been changed, or to know about a set of default credentials that remain unchanged year-in and year-out.

There have been plenty of examples of comparable breaches during the past couple of years. For example, in January financial services firm Lincoln National Corp. announced the exposure of 1.2 million customers due to poor password management and credential sharing. At Lincoln, some shared passwords were used for as long as seven years. The only reason the security problems were exposed was through the action of an anonymous whistleblower who sent Financial Industry Regulatory Authority (FINRA) a username and password combo that gave access to the portfolio.

And in May, a federal grand jury indicted a terminated IT employee of the Transportation Security Administration (TSA) for using credentials after his firing to access a system and allegedly place malcode into a server containing data from the former terrorism database he was charged with administering in an intentional attempt to cause damage to the computer and database.

Similarly, last year Steven Jinwoo Kim was convicted of remotely gaining access to databases owned by his former employer, GEXA Energy, three months after leaving his position and intentionally causing damage to that production Oracle system.

Lieberman says the former cases especially show how important it is to closely manage DBA accounts. While DBAs are usually loathe to accept such accountability, security professionals need to do something other than follow the "just trust us" security model. "The takeaway from all this is if that DBA account is never changed and people come and go from the company, is that really smart to do?" he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.