[BreachExchange] To Protect Data: Keep Your Network Access Close, and Your Vendors Closer

Tue Aug 9 19:25:25 EDT 2016

http://www.natlawreview.com/article/to-protect-data-keep-
your-network-access-close-and-your-vendors-closer

Two recent data breach incidents in the healthcare industry prove what
readers of this blog have heard all too often:  KNOW THY VENDORS.

Last week, Phoenix-based Banner Health reported one of the year’s largest
data breaches. Banner reported that it had suffered a massive cyberattack
potentially affecting the information of 3.7 million patients, health plan
members and beneficiaries, providers. This attack is notable for all
companies and not just healthcare providers covered by HIPAA. Reportedly,
the attack occurred through the computer systems that process food and
beverage purchases in the Banner system.  In the incident, according to
reports, the hackers gained access to the larger systems through the
point-of-sale computer system that processes food and beverage purchases.
The attack was discovered on July 13, and Banner believes hackers
originally gained access on June 17.

Many companies — particularly hospitals — have only a perimeter firewall to
provide protection for access into and out of the core network.   It is
less common for companies to have multiple layers of security protecting
individual systems operating “inside the firewall”. Readers will recall the
main route for the Target hackers into the system was through a small
vendor. The “kill chain” analysis in the Target matter is still highly
recommended reading to learn about this topic. At Banner, once the hacker
was into the food and beverage system (maintained by a separate vendor),
the gate was opened to the entire system’s network. This is yet another
example of the importance of data mapping and systems mapping to locate,
identify and protect the core systems where protected health information
(or other critical information) is stored. This exercise will add
visibility into those devices not necessarily controlled by the institution
and applying further controls to them.  Flat networks and broad access can
easily allow the bad guys to roam freely once in the door.

Example #2 is an attack reported on a NewKirk Products, a vendor providing
identification cards for insurance plans. On July 6, NewKirk reportedly
discovered that a server containing broad categories of PII of 3.3 million
members of insurance plans was accessed without authorization.

Affected insurers include Blue Cross and Blue Shield of Kansas City, Blue
Cross Blue Shield of North Carolina, HealthNow New York, BlueCross
BlueShield of Western New York, BlueShield of Northeastern New York,
Capital District Physicians’ Health Plan, Gateway Health Plan, Highmark
Health Options, West Virginia Family Health, Johns Hopkins Employer Health
Programs, Priority Partners Managed Care Organization and Uniformed
Services Family Health Plan.  According to NewKirk, no payer systems were
affected.

If your business has not undertaken a comprehensive review of the
third-party vendors that have access to your network, a starting place is a
review of our webinar on third-party risk and risk assessments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160809/b845ee82/attachment.html>