[BreachExchange] Vendor's Ex-Employee Allegedly Shut Down Medicaid System

Audrey McNeil audrey at riskbasedsecurity.com
Mon Oct 2 20:07:34 EDT 2017


https://www.databreachtoday.com/vendors-ex-employee-
allegedly-shut-down-medicaid-system-a-10347

A federal criminal case alleges that a former Hewlett-Packard Enterprise
Corp. employee shut down Oregon's Medicaid information systems for several
hours after the vendor laid him off.

Some security experts caution organizations to take steps to minimize risks
from workers who are laid off or fired.

"When an employee is suddenly fired, a few minutes of unfettered access to
information systems can lead to a lot of damage," says privacy attorney
Adam Greene of the law firm Davis Wright Tremaine.

'Intentional Damage'

In indictment papers filed in U.S. district court, prosecutors allege that
Hossein Heydari - a resident of Maryland and former employee of HPE who was
assigned to work on the Medicaid management information systems for Oregon
and three other states - intentionally caused damage to Oregon's MMIS after
he was laid off from his job as part of a workforce reduction.

Prosecutors allege that as part of his job duties - which are not specified
in the indictment - Heydari had access to the servers that hold MMIS data.
Court documents do not name the three other states where Heydari was
working on Medicaid systems.

The indictment alleges that on or about Oct. 14, 2016, HPE informed Heydari
that, as part of a workforce reduction, his last day of employment would be
Oct. 28, 2016.

About three days after his last day of employment, the defendant
"intentionally altered part of the MMIS, causing it to fail and resulting
in an eight-hour loss of functionality for Oregon's MMIS system and its
users," prosecutors allege.

The indictment charges that Heydari "knowingly caused the transmission of a
program, information, code and command, and, as a result of such conduct,
intentionally caused damage without authorization to protected computers."
Prosecutors allege the conduct caused:

- More than $5,000 in expenses for the Oregon Health Authority which
operates the state's Medicaid program - and HPE;
- The impairment of the medical examination, diagnosis, treatment or care
of individuals; and
- A threat to public health.

Not Guilty Plea

Heydari on Sept. 28 pleaded not guilty to one count of "fraud and related
activity in connection with computers," according to court documents, which
also indicate that Heydari is indigent and represented by a public defender.

The defendant surrendered in late August after a warrant was issued for his
arrest. On Thursday, he was released with several conditions, including the
surrender of his passport, cooperating with collection of a DNA sample, and
participating in mental health evaluation and counseling if directed by
court pre-trial services, prosecutors say.

A jury trial is slated to start in the Oregon federal court on Nov. 28.

In a statement, the Oregon Health Authority tells Information Security
Media Group: "In the year since this happened, we have worked closely with
our vendor to ensure we have the appropriate processes and protocols in
place for vendor staff who have the highest levels of security."

Neither the public defender representing Heydari nor the federal prosecutor
in the case against Heydari immediately responded to ISMG's requests for
comment on the case.

An HPE spokeswoman declined to comment, saying the case related to part of
the business that was spun off and became DXC Technology.

DXC Technology did not immediately respond to ISMG's inquiry. In a DXC
Technology press release issued in April, however, it notes that it
officially launched as a business in April 2017 as the result of a merger
between HPE and Computer Sciences Corp. So, it appears that the alleged
incident involving Heydari occurred before the HPE spin-off.

Mitigating Risks

Greene, the attorney, says the IT and human resources departments of
organizations should work closely together to address the risk to
information systems posed by the firing or laying off of workers.

"While most employees who are terminated would never act to harm the
organization, and all employees should be treated with respect and
compassion, organizations should at least consider the increased risks
posed during layoffs and other terminations," he says.

Consultant Rebecca Herold says too many organizations "have very lax, or
completely missing, offboarding security policies and practices. Too many
miss disconnecting all remote access to IT that executives and other
workers have. ... It is a huge human-failure-made security risk.

"From the details shared, this situation could have been completely
prevented," says Herold, president of Simbus, a privacy and cloud security
services firm, and CEO of The Privacy Professor consultancy.

The Oregon Medicaid case spotlights the importance of quickly taking action
when employees - especially those with privileged access - leave their
jobs, says Susan Lucci, a senior consultant and chief privacy officer at
security consulting firm Just Associates.

"When any IT worker in authority to access information like this is
terminated, access should be terminated with simultaneous changes made
immediately to lock them out of all points of access," she says. "This is
particularly crucial due to their permissions level to create, modify and
delete access points."

The three-day lag between Heydari's last day of employment and the date
that the alleged incident took place is a reminder why organizations need
to shut off access to data and systems promptly following the departure or
notice of termination of an employee, Lucci stresses. "Best case, it
happens at the exact time the employee is being terminated," she says.

It's relatively unusual for insider cases like the Oregon Medicaid case to
be prosecuted, Lucci adds. "Too many cases of hacking interference go
unresolved because tracing these activities is extremely difficult, and
therefore the culprits are not brought to justice," she says.

The incident should prompt the state of Oregon to more rigorously vet their
business associates, Lucci stresses.

Other Steps to Take

Herold suggests that organizations take a number of critical steps to
reduce the risk posed by terminated employees, including:

- Remove the worker's access to administrative accounts and disable their
access to sensitive systems and applications, personal information files
and other types of critical business assets;
- Review all user accounts to validate each is valid;
- Turn on logging for all accounts the worker used to ensure someone did
not re-enable them after they were been disabled;
- Collect from departing employees any physical security access tokens,
keys, or other entry devices;
- Advise management, and in appropriate instances the terminated worker's
team members, that they should discontinue providing any business-related
information or access to the former employee.

Herold adds these caveats regarding employees who work remotely or from
home.

"I recommend you include a right to audit that remote office to determine
the information and devices they have that belong to the organization, and
to immediately collect them upon making the decision to terminate the
worker," she says.

If this is not possible, Herold suggests requiring the installation of
remote data wiping tools and then using them upon employee termination.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171002/a41cf10d/attachment.html>


More information about the BreachExchange mailing list