back to article Premera healthcare: US govt security audit gave hacked biz thumbs up

Serious doubt has been cast on the US government's data security regulations after Premera Blue Cross was declared secure by Uncle Sam – just months before the healthcare giant was ransacked for financial and medical information by hackers. The biz underwent a computer security audit by a federal watchdog in January 2014, was …

  1. Stevie

    Bah!

    I can't swear to it, and I plan to go and research it a bit more on my commute home, but I believe HIPAA is more about who people who have your medical information give it to than how cleverly they stop people breaking in and taking it.

    I realize that that is to IT people tantamount to the same thing, but HIPAA's focus, I think, is more on the social engineering of access to the paperwork than nailing shut the electronic catflap some dimwit left in some piece of code [cough]Adobe[/cough].

    As for the audit, it reads to me like items ticked off a script. The last time I saw an audit like this done it was performed by accountants, not IT bods. And the firm sent entry-level new hires to do the audit because everyone else was too busy with more important clients. Among the howlers in the suggested practices was the access list for the computer room that forbade entry to the DBAs but granted it to *any* employee of the auditing firm, including the tea boy, without question.

    1. Ian Michael Gumby

      Re: Bah!

      There's more to HIPPA just like there's the PCI compliance that all financial institutions have to deal with.

    2. Eric Olson

      Re: Bah!

      HIPAA covers how Protected Health Information that is identifiable can be accessed be people. Because of changes to technology in the last 20 years, the enforcement of HIPAA has been extended to include information security.

      Having working in healthcare previously, I can attest to the rectal probing that an audit should bring when done with actual compliance in mind. Generally, even automated or transactional accesses to PHI was logged and justified. Since it extended to automated processes, just having a generic "SysUser" account for any and all applications that might access the data was not cool, so a unique identifier was required.

      We were often asked to "Give me all you've got," by incoming systems and we had to get them to outline the exact data they needed, what it was needed for, and what, if any, was going to persist in their system. Even if they persisted none of it, however, there was a conversation way above my pay grade that often resulted in a much reduced field count and/or without any kind of the forbidden identifiers.

      I'd heard that others around us were similar, though that might have been because healthcare is a rather important field in my geographical location, so there is a lot of poaching... err, cross-pollination of ideas, so it wouldn't surprise me to learn that through sheer luck, the healthcare companies in my neck of the woods are a bit stronger... but I'll probably see a local company hacked in tomorrow's paper just to make an idiot of me.

      As far as the "seal of approval" from the OPM, I think they only are really concerned about the security of federal employee data... and it wouldn't surprise me if such data was kept sequestered from the other information to please government auditors. Where I was, the PHI of Medicare, Medicaid, Military, and Federal Employees were kept separate from other clients and had tighter control as the government had standards in excess of what was required by law, while the other clients were more concerned about NDAs, IP, and trade secrets (which they often considered things like benefits to be). So at Premera, don't be surprised if few, if any, people associated to a federal contract were compromised.

      1. Stevie

        Re: Bah!

        IMG, EO, I'm happy to stand corrected, and bow to your superior knowledge of the HIPPA law.

  2. James 51

    In cases like this companies need to have their feet held to the fire otherwise nothing will change. Who ever designed the security accreditation they got needs to go over what happened and make some serious changes otherwise it isn't worth anything. Aren't these people suppose to be professionals?

    1. ecofeco Silver badge

      BOFH is real. Most folks I know in IT are trying like hell to make things right and their managers are trying like hell to fuck it all up.

      Don't even get me started about internal politics and how many upper level execs will gladly throw everyone to the wolves to get their way.

      1. Mark 85 Silver badge

        Don't even get me started about internal politics and how many upper level execs will gladly throw everyone to the wolves to get their way AND THEIR BONUSES,

        FTFY

      2. codejunky Silver badge

        @ ecofeco

        "BOFH is real. Most folks I know in IT are trying like hell to make things right and their managers are trying like hell to fuck it all up."

        Well said. it is the government security audit that needs holding over the fire as they are the boot to kick management into minimum best practice. If the gov audit isnt up to scratch then it is a non-job exercise and tax grab with compliance costs.

  3. Anonymous Coward
    Paris Hilton

    "electronic catflap"

    Has got to go into the IT industry's dictionary somewhere. Also, it can go into the IT thesaurus for use by the NSA and other security services when they need a euphemism for "backdoor".

    And my experience with HIPAA audits is that it does look at A) software patches/versions and physician access B) which employee/employee types should have access to personal health information and C) training those who have access to PHI to not spread it around, but it doesn't really look at network settings, endpoint access, guest/contractor access to the network, firewall layering/settings or broader corporate end-user security training.

    For all we know, some pretty blonde cozied up to a Premera sysadmin at a local bar, boozed him up a little and purred his admin login out of him.

    (Kind of bi-polar post defies easy icon choice, so I'll punt and go with the easy-on-the-eyes Ms. Hilton)

  4. Mark 85 Silver badge

    Lax US Security Rules????

    Given that much of the US government has IT security rules and their systems are insecure by most standards (the Hillary Clinton email issue brought this out), their rules don't mean much.

    A HIPAA audit in IT only looks at the paper trial. IT is supposed to be audited by a 3-rd party and even then, no down and dirty penetration testing is done and no one ever checks the servers for patches, etc. They only check the paperwork that things have been done.

    HIPPA is more about the physical security... are papers properly shredded, does customer service as customers for their ID's, etc. and not assume the caller is "Joe Blow" without asking some questions. Some of it is the illusion of PHI security such as the line on floor in lobby areas, etc. so supposedly, no one else can hear names, account numbers, etc. which is joke when some mostly deaf pensioner is screaming at the receptionist and she/he at them.

    HIPAA is much like some of the other things in government like "Homeland Security"... mostly to make everyone feel safe and secure. If they ever implement penetration testing, things might change. But with the lobby money pointed at Congress, I doubt that will ever happen.

    1. elDog

      Re: Lax US Security Rules????

      Kaplow! You nailed it.

      Our current government, especially congress, is totally uninterested in impeding the free flow of capitalism. Don't let regulations and audits get in the way. After all, we're encouraging the rest of the world to be as corrupt and capitalistic as we are (steal from the people, deliver to the crooks)!

      1. codejunky Silver badge

        Re: Lax US Security Rules????

        @ elDog

        "Our current government, especially congress, is totally uninterested in impeding the free flow of capitalism."

        The thing that pays our wages, the thing that pays for (mostly) the expanding and extensive government and vast interference that has already spent that money and a great deal of future money not yet raised through capitalism? Capitalism, the thing that causes greater employment, greater prosperity and reduces inequality. Why would we want that impeding?

        "Don't let regulations and audits get in the way"

        But it did. How much does it cost to comply with their rules? How much does it cost the poor in tax's to pay for the people and bureaucracy that makes up this audit? And the complaint seems to be how the security audit didnt pick up on security problems, even though it still gets in the way.

        "After all, we're encouraging the rest of the world to be as corrupt and capitalistic as we are (steal from the people, deliver to the crooks)!"

        When someone comes out with this I wonder why they dont move to a beautiful socialist paradise like North Korea. When people choose to spend the money and choose the provider that is capitalism. The steal from the people describes tax. You talk of crooks and who would argue against that description of gov? There are some bad eggs out there, that is what regulations are needed for. But if you think your gov is not stealing and not a crook then wow, sucker of the year.

    2. Eric Olson

      Re: Lax US Security Rules????

      HIPAA was updated with the ACA (I think) to extend the same protections on physical data to electronic health records. How every company implements those requirements, or if they've decided that a claim filed through a provider portal should have the same level of security as one sent via fax probably varies much more than necessary. To me, it's logical that an electronic claim is protected the same way a paper claim is, especially since even before electronic claims became a thing, those paper claims were often entered into some green-text "UI" that used keystrokes and Function keys to navigate (I noticed those still existed in 2014).

      The reality is that the OPM's audit was likely more concerned about the protection of the federal employees then the overall security of the system. And as many federal contracts demand security that is in excess of the legal requirements, companies often maintain separate datastores, user tables, and even applications to deal with those requirements. One the other side, non-governmental clients worry about things like the company logo is scaling properly, the exact color hex codes are used for the portal, and that their employees are being served an HR-approved message on some tertiary screen that is only accessed during 0.1% of all portal sessions, likely the HR bod worried about the messaging.

    3. Tom 13

      Re: Lax US Security Rules????

      Yes and no. As always how it gets implemented in a particular office often has more to do with the people implementing it.

      Technically I haven't worked in such an environment myself (although God knows why given some of the data a company I use to work for analyzed*), but for two years I had a boss who had. There's an IT end to it that in theory is every bit as important as the physical end of it. She had the processed nailed down hard, and tried to adopt as much of it as she could to our environment on the basis that most of it is actually bog standard horse sense.

      *Yeah, it was insurance and hospital data. But because we were working under the auspices of Congress instead of actually being the medical facility we were somehow "exempted" from HIPAA. No, I didn't really believe if anything bad happened that would hold up. But I wasn't high enough in the food chain to say otherwise. Fortunately I also never handled the data, only occasional desktop support on some of the systems, and always under the watchful eye of someone who was authorized to be in the room.

  5. Bob Dole (tm)

    auditing == waste of time

    Having been through several "audits" I can categorically state that they are a complete and total waste of time.

    The things they have you do to "secure" systems usually boils down to disabling certain things like SSL 3.0 and making sure you have a virus scanner on every single piece of equipment. In no way do they perform actual pen testing or even perform intelligent analysis of what is going on with the actual data.

    In other words, these audits are basically over priced people checking things off a list and usually do close to nothing to combat actual security threats that are seen.

    The ONLY way this is going to get better is if people that actually know what the hell they are doing are the ones in charge of auditing. The problem is that costs more. If you really want to fix this then it needs to be a huge financial cost. So much so that insurance companies will demand it of their clients before underwriting the policies.

    1. Robert Helpmann??
      Childcatcher

      Re: auditing == waste of time

      Having been through several "audits" I can categorically state that they are a complete and total waste of time.

      I think this is more a case of YMMV1. I have had both experience with fairly softball checks that don't do much to ensure network or system security as well as some where all tools were allowed including social engineering, penetration testing, and attempts to bypass physical controls. The latter wasn't pleasant to go through, but mostly because our leadership had steadfastly put convenience well ahead of best security practices. I am not really disagreeing with your final point concerning the need to put someone clueful in charge of audits, just the possibility that it happens.

      1. For purposes of mileage in this analogy, you may consider OPM the auditing version of a fully loaded vintage Cadillac SUV.

  6. ecofeco Silver badge

    So?

    Just because something has been inspected doesn't mean the owner isn't going to screw it up after the inspectors leave.

    BOFH is real. Very, very, real.

    1. Mark 85 Silver badge

      Re: So?

      I can't speak for all locations, all insurance companies, etc. Only for what I've seen with my own eyes.

      The word goes out when the auditors are coming. There'll be a mad dash in the customer service and claims areas to hide paper.. privacy screens come out from under the desks.... the day after the auditors leave, the privacy screens go back under the desk, and paper suddenly reappears magically.

      In IT, they don't ever look at the servers via screens or examine the admin logs. They look at a logbook or a paper print-out of a log.

      I really believe there's more break-ins coming and we'll have more discussions along this line.... I wouldn't be surprised if the break-ins are already underway and the companies just don't know it.

      Hell, we have 5,000 employees and per the CIO, we have almost as many servers: mainframes, web-facing, departmental, test, etc. It's a no-win job trying to secure them all and even harder if there's any turnover in personnel. They discovered 20 servers last year that hadn't been used in 5 years or updated, but there they sat... connected to the network and happily idling. Overlooked, never used for much, and never audited because the sysadmin who set them up was made redundant before he got the paperwork done on their being launched.

  7. Anonymous Coward
    Anonymous Coward

    And they wonder why I haven't signed up for Obama-scare yet.

    If it's not a handful of states suing to get out from under some of the requirements (potentially leaving a lot of poor people hung out to dry), it's one healthcare company after another leaving the data cabinet door unlocked. Not enough win in it for me, sorry.

  8. Anonymous Coward
    Anonymous Coward

    Idiots, all of you.......

    "I can't swear to it", "I think", "Lax US security rules", and the scared anonymous bitch "Obama-Scare".......

    1st, if you think, or can't swear to it, STFU until you *know* something. 2nd, you fucking wankers and your "the US sucks" mentality ..... your shit isn't any better. PLEASE! 3rd, quit being a scared anonymous bitch!

    There isn't any org better or worse than a US org. If that were a falsehood, then I wouldn't have to fight off Chinese bad actors coming at us from a PWN'd Britton VPS.

    Nobody gives a shit until they have to write a check. Then, once the dust settles, nobody gives a shit anymore, until they have to write another check.

    When is the last time someone on US soil was poisoned by Po-210? You european 3rd world country residents can stuff that noise.

  9. Anonymous Coward
    Anonymous Coward

    It's genuinely scary...

    ...how inept the U.S. government is on security and much else.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's genuinely scary...

      and that's from the outside looking in. For the inside looking out...

      <<Shudder>>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022