Malware Hits Kaiser's Research DataWent Undetected for More Than Two Years
In a letter sent to patients, Kaiser Permanente Northern California Division of Research disclosed that malicious software was discovered on the server in February, but that the organization believes the server was infected in October 2011.
Patient information that was contained on the server, or in a file connected to the server, include name, date of birth, age and gender, and possibly address, race/ethnicity, medical record number, lab results associated with research, and responses individuals provided to research-related questions, depending upon the research study, Kaiser says. Neither Social Security numbers, nor data contained in Kaiser Permanente's electronic health records, were exposed.
"Our investigation has found no evidence to date that the information on the server or connected to the server was ever actually opened, copied, or used by any unauthorized persons," a Kaiser Permanente spokeswoman tells Information Security Media Group. "We have no information that any unauthorized person accessed the information on the server. We are continuing to monitor the situation. Protecting our members' information is a responsibility we take very seriously."
The Kaiser Permanente Northern California Division of Research conducts research covering a wide range of topics, including epidemiolgic and health services studies, clinical trials and program evaluations, the spokeswoman explains.
Anti-virus software on the affected server had not been updated "due to human error related to the configuration of the software," she says. "We immediately removed the server after identifying the infection and confirmed that the infection was limited to this one compromised server. The compromised server was the only server at the Division of Research that did not have the proper anti-virus software updates," she says. "We have taken corrective actions to update and strengthen our electronic security measures and protocols to help prevent a situation like this from happening again."
Although Kaiser Permanente did not disclose specifically how the malware was discovered, the organization "employs a series of electronic security measures, including regular third-party security scans," the spokeswoman says.
"We have confirmed that the infection was limited to this one compromised server, and that all other DOR servers were and are appropriately protected with anti-virus security," she says.
Adam Wosotowsky, messaging data architect of security firm McAfee Labs, a unit of Intel, says it's common for malware to go undiscovered for a long period of time.
"Lots of things go into it, but first and foremost is the idea that 'if it ain't broke, don't fix it,''" he says. "Central servers that hold data for large organizations generally don't get rebooted very often, and they also don't get patched as often as they should."
In addition, he says, "Patches can have unintended consequences too, so in many cases administrators will decide that they can't afford the risk and they comfort themselves by thinking that if the server is protected by a firewall and nobody is using it then the risk of infection is negligible."
To detect malware sooner, organizations can take several steps, Wosotowsky says.
"A defensive security posture involves creating obstacles to infection as well as passive or active detections of established infections," he says. "Many organizations don't get past putting up all the obstacles - spam filtration, Web filtration, active AV on all boxes, etc. - and never get to monitoring for established infections, including passive DNS monitoring, outbound traffic blocking, network behavior profiling," he says.
There are also mistakes to avoid, he notes. "Many organizations focus on their user workstations but don't put enough focus on their fileservers. You can save a lot of money by not upgrading, you can avoid patching drama by not patching, and for non-technical businesses you can save a lot of money by outsourcing your administration or not properly staffing your onsite administration - one IT guy for all things related to technology," he says. "The bad guys are continually investing in techniques to bring down your defenses; if you're not continually improving your defense, then you're leaving yourself wide-open to exploitation."
Healthcare entities also should consider taking steps to protect big data used for research, he says.
"Servers that process 'big data' need to be dedicated to that purpose," Wosotowsky says. "They shouldn't double as an emergency workstation if you want to read your e-mail or browse the web. They should exist in a controlled and monitored environment."
Such servers should only be accessible from known sources, he explains. "If you have remote workers, they should be coming in through a VPN and not directly accessing a public service like Outlook Web Access," he says. "Everything should be monitored and logs should be reviewed for oddities and kept for a long time because even if you don't see anything initially, you might need them when doing a post-infection analysis," he advises.
This latest incident comes on the heels of a February settlement between Kaiser Foundation Health Plan and the California Attorney General's office related to a 2011 breach that compromised personal data of about 30,000 of the plan's employees.
Attorney General Kamala Harris had issued a complaint alleging that Kaiser failed to promptly notify individuals about a security breach, as required under state law. The unusual breach involved the purchase by a customer at a thrift store of a used unencrypted external hard drive containing information on about 30,000 Kaiser plan employees.
Settlement documents in the case indicate that Kaiser has agreed to review and improve where "necessary and feasible" its policies regarding encryption of e-mail that contains sensitive employment-related personal information. Also, Kaiser agrees to provide to the attorney general the results of an internal audit regarding the extent of employee access to sensitive employment-related personal information. Those actions must be implemented within 120 days after entry of the judgment, which was dated Jan. 24.
In the settlement, Kaiser agreed to make more prompt notification of future breaches and to take several other steps to improve its data security practices. Kaiser also agreed to pay a $30,000 penalty to the state and also $120,000 to pay for legal fees and the cost of the prosecution and investigation.
The Department of Health and Human Services' "wall of shame" website listing HIPAA breaches affecting 500 or more individuals since September 2009 contains three incidents involving units of Kaiser Permanente. Those include:
- A September 2013 incident at Kaiser Foundation Hospital in Orange County, Calif. involving the loss of unencrypted computing device, which affected 49,000 individuals;
- A December 2009 incident at Kaiser Permanente Medical Care involving the theft of unencrypted computing device, which affected 15,550 individuals;
- A March 2013 unauthorized access incident at Kaiser Foundation Health Plan of the Northwest in Oregon that affected 647 individuals.