The OPM and UCLA breaches: 5 lessons learned

In April 2015, officials at the United States Government's Office of Personnel Management (OPM) discovered that their computer systems had been systematically compromised.

The criminals stole more than 20 million individual records, including demographics, social security numbers, addresses, and fingerprints. Recovery – if it is even possible – will be prolonged, extensive, and would be ruinous to any organization smaller than the federal government.

In July 2015, just as the initial OPM uproar was subsiding, UCLA Health (UCLA) announced that their internal networks had been compromised and up to 4.5 million patients' data may have been affected. UCLA called it a "criminal cyber attack" and has said there is no specific evidence that records were actually accessed. The echoes of the OPM breach are notable: prolonged access by unknown actors, large data sets exposed to copying and manipulation, and red-faced administrators forced to publicly admit failure.

On the heels of these security breaches came an avalanche of reports highlighting the issues that may have led to the breaches and disclosing largely ignored audit findings that, if addressed properly, might have mitigated or entirely prevented the losses. These key lessons provide valuable insight to health systems trying to improve their security.

Lesson 1: It can happen to you.
Security compromise can happen to anyone. All it takes is a sense of invulnerability, a belief that it's all covered, and a willingness to let expediency rule common-sense security practices. Every health system should carefully review their operations to look for risk factors. Outsourced administration? Poor credential management? Too many people with too much access? Not enough attention to logs? No defense in depth? Any of these opens a hole. Too many of these pave the way to security disaster.

Lesson 2: Systems fail at their weak points, not their strong points.
Contrary to Hollywood legends, security breaches aren't usually done by sophisticated hackers cracking the latest encryption, reading signals from remote locations, or breaking biometric authentication. Often critical systems are entered and sensitive data is stolen very simply, through compromised user credentials or stolen computers. No technology makes breaches "impossible": even if the technology works exactly as advertised it closes a single hole, and often not a particularly important one. Security efforts must uncover the weak points, starting with the most likely ones, not the easiest to close. Once found, weak points must be rapidly secured and the search must continue.

Lesson 3: The weakest IT security point in any organization is the authorized user.
In a typical large healthcare organization, thousands of users have access to medical records and of those, dozens have access to critical data. Any user can be the deliberate or inadvertent point of entry for a breach. For example, of the 16 data breaches publicly penalized in California in the first half of 2015, eleven involved deliberate user mis-use of EHR data. This appears to be consistent with other breach reports across the country: it is the user, not the hacker, to fear. People with valid user credentials are already inside the system, in an ideal place to steal or alter data. Obtaining those credentials is often a matter of stealing a badge, a user name, a password, or a PIN. Any system must, while allowing normal use, allow for the probability that trusted credentials may be used with malign intent. And in today's highly networked healthcare world, the challenges multiply: vendors, contractors, and remote workers all present special management concerns.

Lesson 4: Defense in depth – prevention and detection – is crucial.
The OPM had a hardened perimeter, with multiple levels of access control. Once inside the OPM network, however, controls and security were much weaker than at the public interfaces. The crucial lesson for health care is this: convenience always creates risk. Prevention doesn't stop when a user provides a password. Single sign-on is a great thing, but each new level of access (and especially unusual access like bulk data extraction) must require a new level of authentication.

Active management in this area is vital. Detection of anomalous access is just as important as prevention. UCLA, in stark contrast to the OPM, may have prevented a great deal of damage in this way. Intrusion detection is challenging, because a huge number of benign events must be filtered to find a small signal of hostile intent. But with appropriate monitoring, triage, and rapid response, a strong IT organization can manage a great deal.

Lesson 5: Common sense is the best defense.
The OPM and UCLA breaches – and myriad others – remind us that risk is everywhere. Since fully mitigating risk is not possible, and making technology hugely inconvenient is not an option, common-sense policies for managing security are needed. These defense strategies include:
• Requiring systems be kept at the latest patch level.
• Granting the minimum necessary access, revoking access when the need ends, and monitoring the use of access;
• Making access convenient enough to discourage security-breaching workarounds (such as written-down passwords);
• Installing and maintaining systems that are engineered for security
• Conducting regular audits and security reviews, and timely response to issues identified.

Health systems have been offered valuable lessons in the OPM and UCLA Health breaches. Now, the challenge is to learn from them.

Dick Taylor, MD, is Executive Vice President and Chief Medical Officer for Medsys Group. In his position, Dr. Taylor focuses on aligning strategic IT efforts with the clinical and operational ownership needed to capture permanent and positive changes within healthcare institutions.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months