Utah Hack Attack: Lessons LearnedRisk Mitigation Must Address Hacker Threats
Because hacking incidents have been rarely reported in healthcare, it was eye-opening to learn of a major hacking incident in Utah.
Utah Department of Health officials say the breach, which they suspect involved East European hackers, exposed information about an estimated 780,000 adults and children. That information included 280,000 Social Security numbers.
This incident should make it clear that there are hackers out there who are keeping an eye on systems that they view as prime targets yielding huge goldmines of data if they can find one hole to slip through.
At the recent National HIPAA Summit, Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, noted that only about 7 percent of the more than 400 major breaches reported so far under the HIPAA breach notification rule have involved hacking incidents. The majority of breaches have stemmed from lost or stolen unencrypted devices or media.
But the Utah incident serves as an important reminder that hackers pose a serious threat that must be addressed.
Adam Greene, a former OCR official and now a partner at the law firm Davis Wright Tremaine, notes that some criminals consider health information to be far more valuable than financial information because it could pave the way for submitting false healthcare claims in bulk. Health insurance information also could be used to fraudulently obtain treatment.
So Greene, like me, is surprised that hacker attacks haven't been more common. "I have had concerns that there could be more hacking incidents that are going undetected," he says.
Security consultant Rebecca Herold of Rebecca Herold & Associates points out: "This incident should make it clear to business leaders, in all types of organizations, that there are hackers out there who are keeping an eye on systems that they view as prime targets yielding huge goldmines of data if they can find one hole to slip through."
In the Utah incident, authorities said the hacking attack was made possible because of a problem with protecting a state server. "In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system," according to a Utah Department of Health statement. The state's Department of Technology Services, which managed the server, "has processes in place to ensure the state's data is secure, but this particular server was not configured according to normal procedure."
So what can we learn from this hacker incident? Greene suggests that organizations should "consider technical methods of monitoring server and desktop configurations to ensure that security controls are uniformly applied and maintained." Sounds like good advice.
He also advises making sure staff members receive appropriate training. "While outside hacking attacks can be pretty sophisticated, they also may rely on some pretty basic social engineering techniques, such as a hacker posing as internal IT staff to obtain a password," he notes. "The best defense against some of those attacks may be good training of staff."
That means it's time to make sure that everyone in your organization is aware of the importance of not providing passwords to anyone, even IT staff, Greene stresses.
Of course, it should be noted that if the information on the server was encrypted, the data would have been safeguarded and the breach would not even have had to be reported.
Surely, one major hacking incident doesn't signal the need for a major shift in breach prevention strategy. But Greene points out that a comprehensive risk assessment and an ongoing evaluation program should include vulnerability and penetration testing to help guard against hackers.
Herold advises healthcare organizations to make sure they have well-documented systems and application procedures and supporting standards in place that are consistently followed. "Log changes consistently, have teams responsible for reviewing the logs and maintain the logs for an appropriate period of time," she says.
The Utah breach appears to have been caused by a staff member not following procedures, Herold notes. "I believe such mistakes and oversights ... are likely widespread. ... It is not only very easy for mistakes to occur within the network security architecture of a complex set of systems, but there will always be some humans involved who are tempted to bypass important security controls because they slow them down, are cumbersome to follow, take too long to perform or they simply believe that no one will ever be able to find such a vulnerability."
As a result, Herold advises organizations to "have a change control process in place to help keep the mistakes of individuals from being put into production."
In the wake of the breach, Utah Gov. Gary Herbert is calling for a comprehensive security audit of the state's data systems by an independent firm, according to the Salt Lake Tribune. That's a good move to help restore public confidence.
But Herold argues that performing ongoing audits to catch configuration errors is essential.