"Security Breaches"
What Industry Standard to you recommend to Mitigate the "Security Breaches"
(see below)
WASHINGTON — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army (washington Post) Tuesday Jun 3, 2008
Location specific: Washington D.C. Metro Area
Good Answers (3)
Daniel W.
Experienced Cyber Security Executive at IT Federal Services
Best Answers in: Information Security (1)
Standards requrie policies to proceed them. If there are no requried policies to be followed the chance that actual security procedures will be followed is "slim to none." If the hospital protected it data adaquately using probable risk and mitigation controls there would be a less likely chance of a breech. If you take to any infosec professional there are opertunities to reduce risk just not totally eliminate it.
Daniel W. also suggests this expert on this topic:
Jeroen D.
Security Engineer at Check Point Software Technologies Ltd.
Best Answers in: Telecommunications (2), Computer Networking (1), Information Security (1), Using LinkedIn (1)
B,
What kind of answer are you hoping to get here? There are no details whatsoever about the security breach.
Information can leave the hospital in a variety of ways. So to be complete, you need physical security, network security and also Data Leakage Prevention solutions on endpoints.
For many companies, the biggest problem of all is the lack of a (if existent: proper) security policy. The security policy is a non-technical document that describes the details of the 3 things I mentioned earlier.
Jeroen
More Answers (8)
This is kind of a vague question as well as the vague story. I think more detail would have to be released before a good answer can be given but the standard fare applies when dealing with any outside company: Filter, monitor and use secure transaction processing. Best I can say without more detail.
The PCI standard for protecting payment card information is a pretty good one to start with. It centers around a core set of principles and requirements designed to ensure the protection of cardholder data.
There are many other security frameworks but in general, are not as specific about requirements as PCI is.
Links:
Al M.
Volunteer Consultant at Haiti Earthquake Disaster Relief & News
Best Answers in: Using LinkedIn (26), Government Policy (9), Computers and Software (9), Enterprise Software (6), Information Security (6), Software Development (6), Auditing (5), Property Law (5), Business Development (5), Economics (4), Risk Management (4), Government Services (4), Computer Networking (4), Accounting (3), Financial Regulation (3), Internationalization and Localization (3), Criminal Law (3), Corporate Law (3), Project Management (3), Supply Chain Management (3), Customer Service (2), Regulation and Compliance (2), Education and Schools (2), Occupational Training (2), Compensation and Benefits (2), Environmental Health (2), Employment and Labor Law (2), Tax Law (2), Internet Marketing (2), Manufacturing (2), Distribution (2), Ethics (2), Telecommunications (2), Commercial Real Estate (1), Purchasing (1), Hotels (1), Travel Tools (1), Job Search (1), Foreign Investment (1), Public Funding (1), Mergers and Acquisitions (1), Staffing and Recruiting (1), Public Health and Safety (1), Work-life Balance (1), Exporting/Importing (1), International Law (1), Offshoring and Outsourcing (1), Intellectual Property (1), Advertising (1), Events Marketing (1), Viral Marketing (1), Customer Relationship Management (1), Sales Techniques (1), Corporate Governance (1), Organizational Development (1), Commodity Markets (1), Equity Markets (1), Nonprofit Fundraising (1), Quality Management and Standards (1), Individual Insurance (1), Personal Debt Management (1), Market Research and Definition (1), Positioning (1), Professional Books and Resources (1), Professional Networking (1), Business Plans (1), Small Business (1), Energy and Development (1), E-Commerce (1), Information Storage (1), Wireless (1)
I suggest you join a discussion list that focuses on common sense solutions to common security problems.
Here is a link to brief synopses of several of them.
Good security is a process of continuous improvement.
You set some common sense goals, setu a system for testing that you have met the goals, then you raise the bar or goal, then work towards it, and if you achieve that, then raise the bar again.
Various surveys show that maybe half of all organizations have not yet started, do not even have a security policy for their critical infrastructure.
Various inspections of sites on the Internet have found that millions have no security, or security that is a joke.
People generally do not take security seriously until THEY have been victimized by THEIR lapses in judgement.
Links:
Clarification added June 5, 2008:
Subsequent news stories, such as those linked by attrition.org DATA LOSS list, indicate this particular breach may be due to P2P, which had been banned from Military hospitals due to its security weaknesses, but ordinary users of PCs at work have a habit of ignoring the rules, or being ignorant of them, and violating security rules by installing whatever they want on their work PCs.
This is like the big breach at the IRS, where all sorts of Internet tools were banned from people connecting to the IRS data bases, because those tools security did not yet measure up to IRS standards.
Someone at the IRS arranged for software upgrade help from some contractors, who were given access, without going through the IRS own rules for contractors, or enforcing IRS security rules which applied to everyone accessing the IRS data bases.
Some contractors installed Internet tools for their convenience, that were on the IRS list of banned tools, they had the predictable security breaches, and 100% of taxpayer information that the IRS has on everyone in the USA, all citizens abroad, corporattions, non-profits, etc. leaked out into the unknown users. This happened before breach disclosure was mandatory, so finding news stories and statistics on the incident is darn near impossible today. There was an IRS Inspector General scathing report on the mismanagement responsible.
Your tax dollars at work. Supporting identity theft criminals. Helping the terrorists steal our identities so they can come & go as they please.
Doc F.
RACF Engineer at KeyBank
Best Answers in: Using LinkedIn (12), Information Security (10), Auditing (3), Corporate Governance (3), Compensation and Benefits (2), Internationalization and Localization (2), Project Management (2), Regulation and Compliance (1), Job Search (1), Mentoring (1), Accounting (1), Government Policy (1), Criminal Law (1), Guerrilla Marketing (1), Business Development (1), Sales Techniques (1), Business Analytics (1), Organizational Development (1), Commodity Markets (1), Nonprofit Management (1), Personal Investing (1), Professional Networking (1), Biotech (1), Computer Networking (1), Software Development (1)
The previous posters are correct - there has to be more detailed information on how the sensitive data was released/exposed before any of us can comment on it.
That said, this shows that risks over security still exist, even in systems that are supposed to be covered under DoD/DIACAP controls. I'm working right now on a DIACAP remediation for a commercial enterprise, and the regs for certificaiton are painfully stringent. So, assuming that Walter Reed was the actual SOURCE of the breach, as opposed to another entity (be it military, government or commercial) then they are in violation of their own regulatory requirements. Five'll get you ten that it comes down to one person making a stupid mistake that in effect knocked down several layers of security - all in the name of "efficiency" or "operational necessity". Considering that many of our brave soldiers from Iraq and Afghanistan are receiving treatment at WRAMC, it makes it even more galling.
About the only thing that can be done at this point is to determine the scope of the breach, the source of the breach, and to minimise the damage for the patients and their families as much as possible. Along with firing the bozos who caused the breach, and arresting any outside entities who might have hacked from outside.
If you could enter some clarifications above (including for example a link to the actual article) it would go a long way toward helping us provide more cogent responses.
Hope this was helpful. Many thanks.
Doc Farmer
Senior Security Specialist
InfoSec, Inc.
Links:
Doc F. also suggests this expert on this topic:
I suggest you follow the HIPPA guidelines for patient identity and the hospital, kind of the obvious answer here. Otherwise, if you are looking for a solution to prevent security breaches I would suggest you implement multiple vendors from everything to your Firewall to your IDS/IPS and all the way down to your Email, IM, Web filtering.
I suggest this because from someone that has positioned and sold these various solutions over the years the "One Vendor" approach might seem attractive but the no vendor has all these solutions that they built on their technology but they have partnered with another firm to resell a product, this models biggest problem wraps around the client support issue
See anyone that resells a product and their client has a tech support matter they have will have to go back to said vendor to a solution and this process adds the potential of a longer downtime whereas if you go in direct you are skipping that step and will resolve your problem much faster.
Lynn W.
virtualization since Jan68, online at home since Mar70
Best Answers in: Financial Regulation (5), Information Security (5), Economics (4), Government Policy (3), Equity Markets (3), Risk Management (2), Blogging (2), Enterprise Software (2), Budgeting (1), Mergers and Acquisitions (1), Sales Techniques (1), Planning (1), Bond Markets (1), Derivatives Markets (1), Hedge Funds (1), Career Management (1), Computer Networking (1), Information Storage (1), Telecommunications (1), Web Development (1)
We had been called in to help word smith the cal. state electronic signature (and later federal) legislation. Some of the involved organizations were also involved in privacy issues and had done in-depth consumer surveys and found that the two major issues were
1) identity theft ... account fraudulent transactions affecting most people and stats have been that upwards of 70percent of the incidents involved insiders
2) denial of service ... institutions using personal information for the detriment of the individual
because so little attention was being paid to the root sources behind these activities as major motivation behind the cal. state breach notification legislation (and subsequent similar legislation in other states) ... hoping that the mandating notification and associated publicity would start to result in something being done about the problems.
Earlier we had been asked to consult with a small client/server startup that wanted to do payment transactions on their server and had this technology called SSL they had invented and wanted to use (now frequently referred to as electronic commerce). Some number of past posts referring to the activity
http://www.garlic.com/~lynn/subnetwork.html#gateway
We then got ropped into working on the x9.59 financial transaction in the x9a10 financial standard working group. In the mid-90s, X9A10 had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments ... misc. past references
http://www.garlic.com/~lynn/x959.html#x959
part of the activity involved in-depth, end-to-end threat and vulnerability study. this including focusing on the types of problems that have represented the majority of all breaches reported in the news over the past several years.
There were (at least) two characteristics
!) in the current paradigm, account information, including previous transaction information, represents diametrically opposing security requirements. on one side, the information has to be kept completely confidential and never divulged to anybody. on the other side, the information has to be readily available for numerous business processes in order to execute transactions.
2) the value of the account related information in (merchant) transaction logs can be 100 times more valuable to the crooks than to the merchant. Basically to the merchant, the information is worth some part of the profit off the transaction. To the crook the information can be worth the credit limit and/or account balance for the related account. As a result, the crooks may be able to afford to spend 100 times attacking the system as the merchants can afford to spend defending the system.
So, one of the parts of x9.59 financial standard was to tweak the paradigm and eliminate the value of the information to the crooks and therefor also the necessity to have to hide the information at all (it didn't do anything to prevent what has been the majority of the breaches in the past several years ... it just eliminated any of the fraud that could occur from those breaches ... and therefor the threat the breach would represent).
Links:
- http://www.garlic.com/~lynn/subnetwork.html#gateway
- http://www.garlic.com/~lynn/subpubkey.html#sslcerts
- http://www.garlic.com/~lynn/x959.html#x959
Clarification added June 4, 2008:
the major use of SSL in the world today is this thing we worked on now comingly referred to as electronic commerce ... lots of past references to various aspects of SSL
http://www.garlic.com/~lynn/subpubkey.html#sslcerts
where SSL is primarily being used to hide the account and transaction information. Since x9.59 financial standard eliminates the need to hide that information (as a countermeasure to fraudulent financial transactions) .... it not only eliminates the threat from security/data breaches but also eliminates the major use of SSL in the world today
Clarification added June 5, 2008:
some late breaking news:
Researchers say notification laws not lowering ID theft
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9093659
Researchers say notification laws not lowering ID theft
http://www.networkworld.com/news/2008/060508-researchers-say-notification-laws-not.html
Researchers Say Notification Laws Not Lowering ID Theft
http://news.yahoo.com/s/pcworld/146738
Researchers say notification laws not lowering ID theft
http://www.infoworld.com/article/08/06/05/Notification-laws-not-lowering-ID-theft_1.html
Researchers Say Notification Laws Not Lowering ID Theft
http://www.pcworld.com/businesscenter/article/146738/researchers_say_notification_laws_not_lowering_id_theft.html
with regard to the paradigm involving transaction information ... on one hand can never be exposed or made available (to anyone) and on the other hand, by definition, the transaction information has to be available in numerous business processes as part of performing transactions.
we've tried using the comments (in the current paradigm) that even if the world was buried under miles of (information hiding) encryption, it still wouldn't prevent information leakage.
we've also tried using detailed discussions using the analogy of "naked transaction" metaphor ...
http://www.garlic.com/~lynn/subintegrity.html#payments
a military analogy is position in open valley with no cover and the enemy holding all the high ground on the surrounding hills (or like shooting fish in a barrel).
An interesting question - the answer must be none if the purpose is to mitigate but not to prevent - and I don't know if there are any standards to mitigate? Mitigate == make less severe, less painful and and that is not the purpose of security - security is to prevent these things happening in first place.
Now, no security can be 100% and standards as ISO 27002, etc are good guidelines - the question is how they are implemented in infrastructure. Or depending of environment PCI, etc but as seen lately, you can be compliant and still not have a very good security, security is much more than just standards, regulations, laws or policies!
Well offcourse choosing a standard is totally based on what environment you work in and what are your requirements.
In health Industry you can go with HIPPA.
SOX can also do good in your cooperate environment.
I think in your case SANS best practices with a mixture of HIPPA and SOX will be a good option. You can also go with SANS and HIPPA to minize the complexities a bit.
