The OPM and UCLA breaches: 5 lessons learned

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/the-opm-and-ucla-breaches-5-lessons-learned.html

In April 2015, officials at the United States Government's Office of
Personnel Management (OPM) discovered that their computer systems had been
systematically compromised.

The criminals stole more than 20 million individual records, including
demographics, social security numbers, addresses, and fingerprints.
Recovery – if it is even possible – will be prolonged, extensive, and would
be ruinous to any organization smaller than the federal government.

In July 2015, just as the initial OPM uproar was subsiding, UCLA Health
(UCLA) announced that their internal networks had been compromised and up
to 4.5 million patients' data may have been affected. UCLA called it a
"criminal cyber attack" and has said there is no specific evidence that
records were actually accessed. The echoes of the OPM breach are notable:
prolonged access by unknown actors, large data sets exposed to copying and
manipulation, and red-faced administrators forced to publicly admit failure.

On the heels of these security breaches came an avalanche of reports
highlighting the issues that may have led to the breaches and disclosing
largely ignored audit findings that, if addressed properly, might have
mitigated or entirely prevented the losses. These key lessons provide
valuable insight to health systems trying to improve their security.

Lesson 1: It can happen to you.
Security compromise can happen to anyone. All it takes is a sense of
invulnerability, a belief that it's all covered, and a willingness to let
expediency rule common-sense security practices. Every health system should
carefully review their operations to look for risk factors. Outsourced
administration? Poor credential management? Too many people with too much
access? Not enough attention to logs? No defense in depth? Any of these
opens a hole. Too many of these pave the way to security disaster.

Lesson 2: Systems fail at their weak points, not their strong points.
Contrary to Hollywood legends, security breaches aren't usually done by
sophisticated hackers cracking the latest encryption, reading signals from
remote locations, or breaking biometric authentication. Often critical
systems are entered and sensitive data is stolen very simply, through
compromised user credentials or stolen computers. No technology makes
breaches "impossible": even if the technology works exactly as advertised
it closes a single hole, and often not a particularly important one.
Security efforts must uncover the weak points, starting with the most
likely ones, not the easiest to close. Once found, weak points must be
rapidly secured and the search must continue.

Lesson 3: The weakest IT security point in any organization is the
authorized user.
In a typical large healthcare organization, thousands of users have access
to medical records and of those, dozens have access to critical data. Any
user can be the deliberate or inadvertent point of entry for a breach. For
example, of the 16 data breaches publicly penalized in California in the
first half of 2015, eleven involved deliberate user mis-use of EHR data.
This appears to be consistent with other breach reports across the country:
it is the user, not the hacker, to fear. People with valid user credentials
are already inside the system, in an ideal place to steal or alter data.
Obtaining those credentials is often a matter of stealing a badge, a user
name, a password, or a PIN. Any system must, while allowing normal use,
allow for the probability that trusted credentials may be used with malign
intent. And in today's highly networked healthcare world, the challenges
multiply: vendors, contractors, and remote workers all present special
management concerns.

Lesson 4: Defense in depth – prevention and detection – is crucial.
The OPM had a hardened perimeter, with multiple levels of access control.
Once inside the OPM network, however, controls and security were much
weaker than at the public interfaces. The crucial lesson for health care is
this: convenience always creates risk. Prevention doesn't stop when a user
provides a password. Single sign-on is a great thing, but each new level of
access (and especially unusual access like bulk data extraction) must
require a new level of authentication.

Active management in this area is vital. Detection of anomalous access is
just as important as prevention. UCLA, in stark contrast to the OPM, may
have prevented a great deal of damage in this way. Intrusion detection is
challenging, because a huge number of benign events must be filtered to
find a small signal of hostile intent. But with appropriate monitoring,
triage, and rapid response, a strong IT organization can manage a great
deal.

Lesson 5: Common sense is the best defense.
The OPM and UCLA breaches – and myriad others – remind us that risk is
everywhere. Since fully mitigating risk is not possible, and making
technology hugely inconvenient is not an option, common-sense policies for
managing security are needed. These defense strategies include:
• Requiring systems be kept at the latest patch level.
• Granting the minimum necessary access, revoking access when the need
ends, and monitoring the use of access;
• Making access convenient enough to discourage security-breaching
workarounds (such as written-down passwords);
• Installing and maintaining systems that are engineered for security
• Conducting regular audits and security reviews, and timely response to
issues identified.

Health systems have been offered valuable lessons in the OPM and UCLA
Health breaches. Now, the challenge is to learn from them.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!