Congress to hear status report on Medicare's computer security

[InfoSec News <isn () c4i org>]

http://www.nandotimes.com/technology/story/13270p-269250c.html

The Associated Press 

WASHINGTON (May 22, 2001 09:04 p.m. EDT) - Security experts will tell
Congress on Wednesday that the agency controling Medicare lacks enough
computer security personnel to oversee the agency's many contractors
and maintain the integrity of its networks.

The Health Care Financing Administration contractors were "outright
obstructive to providing sound security," wrote Michael Neuman of En
Garde Systems of Albuquerque, N.M., in a prepared statement to
legislators. The testimony will be given to a House oversight
subcommittee looking into whether private medical information held by
the government is secure from hackers.

Medicare provided health insurance for about 39.5 million elderly and
disabled Americans at a cost of approximately $215 billion last year.

En Garde and other security companies were paid by HCFA to test its
computer networks between 1997 and 2001. All of the companies found
significant security weaknesses during their tests.

The oversight committee's chairman, James Greenwood, R-Pa., called for
the agency to do better.

"HCFA must improve the basics of security management," Greenwood said
in prepared remarks.

Neuman complained that it took HCFA a year of negotiations to lay down
the ground rules for their latest security test, and that En Garde was
not allowed to touch certain systems during its tests, making the test
results "unrealistic."

But even with the restrictions, En Garde had little trouble breaking
in.

"Using an extremely old, very well known vulnerability in the WWW
server software, we were able to gain access to HCFA's Web server
without any more technical expertise than it takes to point and
click," Neuman said.

> From there, the security team could easily break into HCFA's internal
network. If a disgruntled former employee or outside hacker attacked
HCFA in the same way, Neuman said, it could put millions of medical
records and billions of dollars at risk.

Other security companies had similar experiences.

"In its attempts to successfully subvert several user and
administrator passwords, Allied Technology discovered blank, easily
cracked and poorly managed passwords, both from user and administrator
accounts," one report from a March 2001 test states, adding that no
security updates were found on HCFA's computers.

A representative from HCFA's inspector general's office, which serves
as a watchdog department, wrote to lawmakers that the agency is aware
of the problems. In February, the office cited 124 weaknesses on
government and contractor computers that left data about Medicare
recipients vulnerable.

The report listed faulty passwords, lack of security plans and other
problems at Medicare's central office.

But officials still have no idea if they've been attacked.

"While all of these weaknesses are troubling," wrote assistant
inspector general Joseph E. Vengrin, "we do not know whether the
resulting vulnerabilities have been exploited in terms of compromised
medical information, fictitious Medicare claims, diversion of taxpayer
dollars, or some other type of fraud or abuse by an 'insider' or a
hacker."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.