Compliance Mindset Can Lead to Epic Security Fail

The recent data breach at Premera Blue Cross — in which the personal information of some 11 million customers was compromised — raises questions about how effective government regulators are at ensuring that healthcare providers adequately protect their patients’ data.

There have been abundant warnings that compliance with government regulations alone would not be adequate to protect companies from the kinds of cyberthreats the world faces today. However, Premera learned that lesson the hard way.

Auditors with the U.S. Office of Personal Management in January 2014 recommended that Premera address two areas of system administration: more timely installation of software patches and upgrades; and creation of configuration baselines so it could effectively audit its server and database security settings.

However, those weren’t very serious deficiencies in the minds of the auditors, who wrote in their final report released in November, that “nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.”

The company was breached in May 2014. Although that was six months before the feds released their final audit report, Premera didn’t discover the breach until January 2015.

Common Problems

Granted, the OPM’s audit was a general one — one designed to audit information systems related only to the claims processing applications used at Premera — and not as rigorous as those conducted for compliance with HIPAA security and privacy regulations by the U.S. Office of Civil Rights.

“The scope and depth of the OPM audit was likely just a subset of what would have been covered by a true HIPAA audit conducted by OCR,” said Ulf Mattsson, CTO of Protegrity.

“Based on the information provided in the audit report, there’s no way to know for sure how Premera would have performed if it had been audited by OCR,” he told TechNewsWorld.

“The problems cited by the audit are probably pretty common to all organizations. While fixing those problems can improve an organization’s security posture slightly, by no means were they likely the cause of the massive data breach at Premera,” Mattsson said.

“The storing of sensitive data without being encrypted is the more likely culprit,” he added.

Checkbox Security

It’s unlikely that even a rigorous audit would have deterred Premera’s data thieves.

“Since HIPAA does not require companies to encrypt their data at rest, even passing a true HIPAA audit by OCR may not have prevented the Premera breach,” Mattsson said.

Although compliance rules are supposed to set minimum standards for protecting data, many companies treat them as maximum benchmarks.

“Cases like Premera and thousands of others are proof that if you follow compliance — the checkbox approach to security — it doesn’t mean you’re more secure,” said Torsten George, vice president for marketing at Agiliance.

“You can schedule an audit, but you can’t schedule a cyberattack,” he told TechNewsWorld.

“You have to change your way of thinking. You have get away from these three-to-six-month sprints to get to compliance and then forget about it,” George said.

“Security needs to be part of your day-to-day operations,” he added, “not just something you do to get through an audit review.”

Antiquated Thinking

Healthcare security audits have some fundamental problems. “HIPAA is focused on prevention of threats,” said Mike Davis, CTO of CounterTack.

“As we all know, prevention doesn’t always work. Hackers still get in,” he told TechNewsWorld.

“There’s very little in HIPAA that requires healthcare institutions to detect threats,” Davis added. For example, HIPAA requires access to patient records be restricted, but it doesn’t require that access to the records be monitored.

“You lock down the users, so only Bob can access patient information, but if an attacker takes over Bob’s account, he has access to the patient information and you’d never know,” he explained.

The standards used by HIPAA are outdated, maintained Tom Kellermann, chief cybersecurity officer for Trend Micro.

“They’re based on perimeter defense, and they’re over reliant on encryption of data,” he told TechNewsWorld.

“They focus on threats relevant 10 years ago,” Kellermann continued. “The threats today are a thousand times more sophisticated.”

Breach Diary

  • March 23. Twitch informs users that some of their accounts were accessed by unauthorized parties. It expires all passwords and stream keys, as well as disconnecting accounts from Twitter and YouTube.
  • March 24. TransUnion Healthcare releases survey that finds more than half of recent hospital patients were willing to change providers if their current provider suffered a data breach; 65 percent of patients said they would avoid a provider that experienced a data breach.
  • March 25. Secunia reports 15,435 vulnerabilities were found in 3,870 applications in 2014 — an 18 percent increase over 2013. It also noted that patches were available for 83 percent of the vulnerabilities on the day they were made public.
  • March 26. Cylance identifies vulnerability in ANTLabs InnGate routers that could lead to remote execution of code on devices connected to those routers, which commonly are installed in hotels and convention centers.
  • March 26. Citigroup warns its employees that they should be mindful that cybersecurity at law firms is below the standards of other industries. Citi also was critical of the unwillingness of large law firms to discuss or acknowledge data breaches with law enforcement and corporate clients.
  • March 27. Class action lawsuit filed in Washington state federal court against Premera Blue Cross for data breach revealed earlier this month that compromised personal information of 11 million customers.
  • March 27. Court of Appeals in United Kingdom rejects motion by Google to dismiss lawsuit alleging the company tracked users of Apple’s Safari Web browser without authorization and in violation of UK privacy laws.

Upcoming Security Events

  • March 31. Monitoring for Network Security. 1 p.m. ET. Webinar sponsored by ThousandEyes. Free with registration.
  • March 31. Building and Enforcing Mobile Application Security Policy in a BYOD World. Noon ET. Dark Reading webinar. Free with registration.
  • April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100, Kansas City, Missouri. Registration: open sessions pass, US$25; conference pass, $175; SecureWorld plus training, $545.
  • April 8. Why DDoS Makes for Risky Business — And What You Can Do About It. 11 a.m. ET. Webinar sponsored by Arbor Networks and IANS. Free with registration.
  • April 11. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 11-12. B-Sides Charm. Howard Community College, Gateway Building, Charles I. Ecker Business Training Center, 6751 Columbia Gateway Drive, Columbia, Maryland. Fee: TBD.
  • April 11-12. B-Sides Orlando. University of Central Florida, 4000 Central Florida Blvd., Orlando, Florida. Fee: $20.
  • April 15. Secure Government: Manage, Mitigate, Mobilize. Symantec Government Symposium, Walter E. Washington Convention Center, Washington, D.C. Registration: government, free; non-government, $295.
  • April 17-18. B-Sides Algiers. Ecole Nationale Suprieure d’Informatique, Oued Smar, Algiers, Algeria. Free.
  • April 18. B-Sides Oklahoma. Hard Rock Casino, 777 W. Cherokee St., Catoosa, Oklahoma. Free.
  • April 19-20. B-Sides San Francisco. 135 Bluxome St., San Francisco. Registration: $20, plus $2.09 fee.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • April 25. B-Sides Rochester. German House, 315 Gregory St., Rochester, New York. Free.
  • April 29. Dark Reading’s Security Crash Course. Mandalay Bay Convention Center. Las Vegas, Nevada. Registration: through March 20, $899; March 21-April 24, $999; April 25-29, $1,099.
  • May 6-7. Suits and Spooks London. techUK, 10 Saint Bride St., London. Registration: government/military, $305; members, $486; industry, $571.
  • May 2. B-Sides San Antonio. Texas A&M, Brooks City Base, San Antonio, Texas. Fee: $10.
  • May 9. B-Sides Boston. Microsoft 1 Cambridge Center, Cambridge, Massachusetts. Fee: $20.
  • May 13. SecureWorld Houston. Norris Conference Center, Houston, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, pounds 600.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2195; after July 24, $2595.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Registration: through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300; June 1-Aug. 31 — $995, $1,250, $1,045, $350; Sept. 1-Oct. 1 — $1,095, $1,350, $1,145, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels