Montana health data breach a textbook example of what not to do

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/montana-health-data-breach-textbook-example-what-not-do

When an organization experiences a major data breach and puts out a news
release, the point is to comfort people that the news isn't as bad as it
sounds. But at the same time, it's critical to be precise with language –
lest that organization be compelled to subsequently issue the dreaded,
"What we actually meant to say in Monday's statement…" statement.

With this in mind, consider the June 24 breach statement issued by the
Montana Department of Public Health and Human Services as the
quintessential example of what not to do in such a situation.

The statement about the incident, which notified some 1.3 million people
that their sensitive medical data might have been grabbed by cyberthieves,
started out by saying that state "officials said there is no knowledge that
information on the server was used inappropriately, or was even accessed."

But a few lines later, the statement noted that "an independent forensic
investigation determined a (state) computer server had been hacked. The
forensic investigation was ordered on May 15 when suspicious activity was
first detected by (state) officials."

Let's give MDPHHS a pass for using a statement from state officials that
references what "officials said." (Isn't the whole statement what officials
said?) Let's also skip by "computer server," as if a reference to simply a
"server" would have been interpreted to mean something else (a waiter or
waitress, perhaps?).

No, the issue here is that a forensic probe established that unauthorized
individuals had broken into the server, and yet they have no idea whether
"information on the server" had even been accessed. Isn't the very nature
of gaining access to a server proof of someone having access to the files?
If not, what does it mean?

In the larger world, this would be analogous to the U.S. State Department
confirming that agents from North Korea's Ministry of State Security had
broken into a locked file room, which at the time was filled with unlocked
file cabinets stuffed with secret documents.

Given that the agents were in the room for an extended period, they
certainly had access to those files. Does the government know for fact that
they looked? Technically, no. Realistically, why do you think intelligence
agents would break into a file room?

Back to Montana. Officials could have said they don't know precisely how
many files were accessed or copied – or, for that matter, altered or
deleted. But to say that the attackers had no access to the files seems
bizarre. How did the forensic team prove an intrusion if the attackers
didn't have access to files? Is the state saying that someone tried to get
through a firewall and failed? (Short answer: No, they're not saying that.)

It gets worse. Jon Ebelt, public information officer for Montana's
Department of Public Health and Human Services, clarified that the
"suspicious activity" referenced in the statement was that the cyberthieves
made a post on an unidentified website – a post that showed "evidence" of a
successful breach.

Ebelt wouldn't describe the nature of the evidence or the website,
including whether the attackers forwarded the link as an implied – or
direct – extortion attempt.

Presumably, "evidence" of a successful breach would be something that could
be seen internally, such as server names, some personal information about a
patient or a screen capture of some server activity. Wouldn't anything that
would serve as evidence of a breach also pretty much establish that the bad
guys had access to server data?

Ebelt emailed a clarification that the state did not "find evidence that
information was actually viewed or copied once the unauthorized entry
occurred."

First, that's not what the statement said. Second, does it make sense that
they would break in, post something that was "evidence" of the breach and
yet look at nothing?

Thus far, I've been reviewing the technical details of the statement and
trying to illustrate that it did more to confuse the issue than to clarify.
But this next comment from the statement, if believed to be truthful, is
rather infuriating:

"The state upgraded its property insurance policy in 2013 to include
cyber/data security coverage for incidents such as this one. The policy
provides coverage of up to $2 million to cover costs associated with the
toll-free Help Line, mailing notification letters, free credit monitoring
and other services. State officials expect the majority of costs associated
with this incident to be covered by insurance."

The line that's galling is the last one: "State officials expect the
majority of costs associated with this incident to be covered by insurance."

How are you defining the "majority of costs associated with this incident"?
How much for the lack of faith from your customers? How many potential
injuries or deaths because of people avoiding healthcare facilities thanks
to lost trust? How about the cost of upgrading security systems? Hiring
more IT security people?

This all assumes that records were merely copied. What if they were
altered? Will the insurance pay for staff to recheck every file before its
data is relied on for treatment decisions? Will most even have access to
paper records – assuming they still exist – that would allow for such
verifications?

The problem is that organizations today often wildly underestimate the cost
of such a breach, both direct and especially indirect. If state officials
really believe that some insurance policy will pay for most of it, they
need a lesson in true data breach costs. And in Montana, looks like they
are about to get one – the hard way.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!