[SecurityRatty] tag: commend

Breach at UCSF gets leadership response

Sat, 31 May 2008 06:34:08 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Departments of Pathology and Laboratory Medicine

Victims:
Patients

Number Affected:
3,569

Types of Data:
"names, dates of pathology service, health information and, in some cases, social security numbers"

Breach Description:
"The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information."

Reference URL:
UCSF News Release

Report Credit:
Kristen Bole, UCSF

Response:
From the online source cited above:

The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information.

There is no indication that any patient files were accessed.

UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.

During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers.
[Evan] Its good that the unusual traffic was detected through routine monitoring, but I wonder how long the traffic was present before it was detected. Later on in the news release there is mention that an unauthorized movie-sharing program was installed on the computer on or about December 2, 2007. It seems likely that the unusual traffic may have started on or about December 2, 2007. Why the time gap between presence and detection?

The computer was immediately removed from the network to prevent further access.

UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised.

The investigation was completed this month.
[Evan] This is a long investigation. January 11th, 2008 through May 1st, 2008 is more than 3 1/2 months.

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual.
[Evan] Uh oh. If the installation of the program requires administrative access to the computer, it is conceivable that the local administrator credentials were compromised. The fact that the news release states "unknown individual" leads me to believe that the account used was potentially a shared account.

Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database.

The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer.

The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who receive the notification letters.

The security of protected health information at UCSF is of utmost importance

The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach.
[Evan] Great! I just want to point out that the word "undertaken" is past tense. Information security is a lifecycle employing continuous management, improvement, monitoring, etc.

this event and others nationwide have caused UCSF to redouble its efforts in this area.

UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data.
[Evan] Excellent! This demonstrates good organizational leadership, of which information security is integral. It stinks that it took a breach affecting over 6,000 people before this action was taken.

This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.

Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies.

He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.

Commentary:
I commend UCSF leadership for the establishment of the new task force led from the top. Hopefully the momentum will continue. All organizations, non-profits and profits alike, need information security leadership that comes from the uppermost echelons in order to be effective.

Past Breaches:
University of California:
May, 2008 - Health care practices and UCSF patient records exposed
April, 2008 - University of California Irvine students are hit with mysterious breach

The best way to get customer service? Blog or Twit them

Sat, 24 May 2008 03:44:15 +0000

I was reading an article in the Orlando Sentinel newspaper this morning (I know who reads newspapers anymore), about how so many companies are tracking unhappy customers by monitoring blogs and even twitter messages. It reminded me of a story that Chris Hoff had a while back about Southwest Airlines monitoring his Twitter message

The story in the Sentinel had two opposite corporate views on this. One was Comcast who quickly turned a negative blog post and experience into a positive one by reaching out to the customer and fixing their problem. The customer than ran an updated blog post to commend Comcast. Much the same way Hoff did in his post on Southwest. The polar opposite of this was Spirit Airlines, whose spokesperson according to the article said, "she wasn't concerned and that Spirit doesn't let blog posts affect its policies and procedures." Well a year later that article is still the number 3 search result on Google if you pull up Spirit Airlines. It has over a 1000 comments with many people saying they didn't fly Spirit as a result. I wonder if Spirit Airlines still feels the same way about not listening to blogs?

The article mentions a few other companies that monitor blogs and twitter and message boards. It also mentions a web site called getsatisfaction.com where over 3000 companies monitor to help consumers iron out customer service issues.

They always said the pen was mightier than the sword. In todays world maybe the keyboard is too.

Congrats to StreamBase and Mark Palmer!

Thu, 10 Apr 2008 10:26:32 +0000

Normally we give a warm congrats to folks when they join a new company.

However, in the case of Mark Palmer joining StreamBase as the new President and CEO, I must commend and congratulate StreamBase on hiring a very capable and fantastic leader.

Mark, don’t forget to update your LinkedIn profile when you get some free time

TRICARE breach affects 4,700 households

Thu, 20 Dec 2007 09:15:59 +0000

Technorati Tag: Security Breach

Date Reported:
12/07/07

Organization:
TRICARE

Contractor/Consultant/Branch:
TRICARE Area Office Europe (TAO-Europe)
Department of Defense TRICARE Management Activity (TMA)
Electronic Data Systems (EDS)

Victims:
TRICARE beneficiaries located in Europe between the years 2004 and 2007

Number Affected:
4,700 households

Types of Data:
Full or partial Social Security Numbers, and for one or more members of the affected household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TMA

Breach Description:
On November 7th, 2007 Electronic Data Systems (EDS) reported to TRICARE that they had discovered a potential compromise of sensitive personally identifiable information belonging to beneficiaries located in Europe. EDS is an IT contractor for TRICARE and "had not appropriately secured a part of the system" they support.

Reference URL:
TRICARE TMA Website Announcement
Air Force Times Story

Report Credit:
TRICARE

Response:
From the online sources cited above:

A potential compromise of personally identifiable information belonging to approximately 4,700 TRICARE beneficiaries located in Europe occurred recently due to a problem with a claims Web site managed by Electronic Data Systems (EDS).

The incident was reported to TRICARE on November 7, 2007. The information that was potentially compromised, however, existed between the years 2004 and 2007.

The compromised information may include your full or partial Social Security Number, and for one or more members of your household, their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to TRICARE Management Activity.

Although the assessment yields that external entities did in fact, access the system for purposes that do not appear malicious, at this time we have no indication that any of your personal information has been misused.
[Evan] This statement is a little confusing to me. Are the "external entities" authorized or not? If they were not authorized to use the system, and they had in fact accessed the system, then I would say that the access was probably malicious in nature.

It is possible that an unauthorized person could have accessed your personal information, but the Department of Defense is taking proactive steps to keep you informed.
[Evan] I don't like the word "proactive" when using it in reference to a reaction. The notification is a reaction to a lack of proactivity. You dig?

Those who may have been potentially affected by this compromise will receive a notification letter

The data was held on a Web application server that allowed external entities an unauthorized level of access without going through the required authentication process if the Web address was known.

That situation has since been remedied.

Practices such as Public Key Infrastructure (PKI) requirements and authentication verification cookies have fixed all known vulnerabilities associated with this incident. In addition, the CMS application has since been taken off-line. EDS has completed the forensics analysis of the server and is performing a by-line code review to ensure there are no further critical vulnerabilities present in the code.
[Evan] Should EDS be the ones conducting the vulnerability assessment and code review? If it were me, I would feel more comfortable with a third-party review.

EDS is offering beneficiaries put at risk a free, one-year subscription to a credit monitoring and protection service.

Additionally, those affected will receive up to $20,000 identity theft protection coverage with no deductible as it relates to this matter.

Affected beneficiaries with questions or concerns may contact the EDS Incident Response Center at 1-800-556-3195.

Those located outside the United States must dial the country’s AT&T USADirect access number first.

Commentary:
I am trying to determine with some certainty what led to this breach.
Was it poorly written code? (check out OWASP)
Was it a mis-configuration of the web server?
Was encryption not required, i.e. a user could use http or https to access the application?
Was it a combination of factors? I will assume it was a combination of factors.

On the one hand, I commend EDS for disclosing the breach to TRICARE, but on the other hand I am concerned about how long this problem may have gone un-noticed. Web applications acquiring, processing, accessing, storing or interacting with sensitive information in any manner require regular security reviews commensurate with the risk to the such information (unauthorized disclosure, alteration or destruction). This seems to be a case where you have an IT contractor in charge of design, implementation and maintenance of an application (typically with functionality as a driving factor) but also in charge of maintaining it's security. Information security really is a "stand-alone" function that should not be lumped into the same IT contract and warrants a "stand-alone" contract with a company that specializes in information security. My $.02.

Past Breaches:
Unknown