The Little Secret About InfoSec That No One Admits.
What the latest breach of PHI at UnityPoint Health tells us about the importance of a sound and comprehensive InfoSec program.
On July 31, 2018, UnityPoint Health reported that it has uncovered a massive breach of PHI potentially affecting 1.4 million patients, from a spear-phishing attack; also known outside security circles as "business email compromise."
Sadly, this wasn't the first time for UnityPoint Health to be affected by this type of problem. It was the third!
In April, they announced breaches that occurred in November of 2017, and then again in February of 2018. Those incidents affected approximately 16,000 patients, but the latest breach of 1.4 million is massive even by OCR standards. According to the results of a study conducted by the Ponemon Institute/IBM Security ( 2018 Cost of a Data Breach Study), the healthcare industry has the highest breach costs at an average of $408 per record.
This year’s study showed the average cost of a data breach has risen to $3.86 million for a breach of up to 100,000 records. For the first time, the study investigated the cost of ‘mega’ data breaches – Those that involve the exposure of more than 1 million records. The cost of resolving these mega data breaches was estimated to be $40 million when more than 1 million records have been exposed.
Clearly, it makes you wonder what security protocols were followed the first two breaches and calls into question the effectiveness of those controls, as the issue continues to escalate.
This piece is not an attempt to conduct a forensic evaluation of these incidents, but it is intended to remind us of the importance of taking data security seriously. Really, Seriously! 40 Million dollars’ worth.
In a conversation with a large security appliance vendor this week, that also happens to be a partner of ours, I discussed this very issue. The consensus was that it was likely that UnityPoint Health has robust firewalls, the best hardware, current disaster recovery plans and procedures, and the latest in routing and switching gear from leading vendors. What it appears they didn't have, were enough and regular training of their staff, to prevent such attacks from becoming incidents. In other words, this was probably preventable!
At CloudSkope, we advise our clients to start with baselines first about every point in their network- applications, infrastructure, data flows, and comprehensive mapping of their entire physical, logical, and technical footprint. We follow (among other things) the NIST Framework and other protocols commonly used by the DoD in securing critical assets. Anything less is pointless.
The other thing that companies should accept, is that most tools implemented by internal security staff are almost always not fully configured and generate tons of noise that must be filtered by someone. Most companies do not have access to their own 24/7 SOC where engineers are constantly parsing data to prevent, not report breaches.
With the emergence of leading vendors like Armor Cloud Security, (armor.com), AlertLogic (alertlogic.com), and others that provide cutting edge and comprehensive 24/7 SOC services in a SaaS pricing model, the excuses for not using this, are pretty much zero!
The Secret that the title of this piece refers to, is a simple fact, that in an internally implemented security model, all you're getting with tools is the ability to know that something has already occurred on your network.
In other words, it’s after the fact! Damage is done! Not before. No matter what any log or SEIM vendor tells, you, this is a simple fact. The only real way to have a chance at prevention is to use a competent platform and managed SOT (Security Operations Team) that is parsing the billions of lines of logs to generate alerts on only what's important to worry about- in real-time!
CloudSkope recommends that companies follow a true defense-in-depth strategy, which includes the 4P's of Infosec:
3. Procedures (Process)
We also recommend starting with a comprehensive NIST Based Audit that looks at assets with the lens of the CIA Framework.
(The confidentiality, integrity, and availability of your data) as it relates to the 4 Ps.
To prevent an attack, tools can only go so far in telling you that something already occurred or after-the-fact. When vendors like Armor provide you a SaaS model that gives you a team that proactively prevents this problem, the budget excuse just does not work anymore.