Premera healthcare: US govt security audit gave hacked biz thumbs up

Serious doubt has been cast on the US government's data security regulations after Premera Blue Cross was declared secure by Uncle Sam – just months before the healthcare giant was ransacked for financial and medical information by hackers.

The biz underwent a computer security audit by a federal watchdog in January 2014, was told in April it needed to improve in a few areas, started making the necessary changes in June, and rounded off the year with an official mark declaring it compliant with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA sets a national benchmark for safely handling electronic healthcare records.

Amid all this, Premera was secretly compromised in May by criminals, as revealed last week. Whatever changes were made after April may have been too late.

Premera was audited by Uncle Sam's Office of Personnel Management because the biz, based in Washington, is a healthcare provider to government staffers under the Federal Employees Health Benefits Act. The two-month review [PDF] spotted a couple of areas that needed addressing:

• Premera employees were not keeping up to date with security patches for their software, leaving computers vulnerable to attack.
• Sysadmins hadn't agreed on a "baseline" set of configuration settings to ensure all their systems were secure to the same standard, or better.

The auditors noted in their final report, dated November 28, 2014:

Premera has documented patch management policies and procedures. However, the results of the vulnerability scans indicate that critical patches, service packs, and hot fixes are not always implemented in a timely manner. Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached.

Premera cannot effectively audit its server and database security settings without an approved baseline, as a baseline configuration is the benchmark for comparison. Failure to establish and routinely monitor approved system configuration settings increases the risk the system may not meet performance and security requirements defined by the organization.

Despite all that, Premera was declared to be compliant with the Health Insurance Portability and Accountability Act (HIPAA).

"Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations," the final report stated.

The report found some other areas of concern. Access to the firm's data center was key-card controlled, but lacked a second factor of authentication, such as biometrics, and there were no cameras pointing at the entrances to the server rooms, which could have spotted two people entering a door at the same time with only one set of credentials.

Flaws in the ability to reuse passwords were also noted. As for disaster planning, the auditors found Premera had a good recovery plan in place, but lacked a baseline configuration for its most important apps that would allow the information to be rebuilt after a meltdown.

The healthcare provider got hold of the OPM's draft audit report in April, and responded in June, saying all of the issues raised would be addressed by the end of the year, if not sooner. By then, however, it was too late – on May 5 hackers successfully got into the servers, and it wasn't until the following January that the hacking was noticed.

"It’s important to note that OPM’s audit found no concerns with Premera’s security management or compliance with HIPAA security standards," a company spokesperson told The Register.

Premera's people seem sure the inadequacies highlighted by the OPM in April were not exploited by hackers in May, but admitted the investigation into the compromise is still ongoing. Either crims made use of the vulnerabilities also found by the auditors, or they didn't and HIPAA's standards are so low they were unable to prevent the network intrusion, it appears to us.

"We found there is no evidence or indication that the cyber-attack on Premera was the result of any of the items identified in the OPM report. We’ve since implemented the steps we committed to take in our response. The source of the attack is still part of an ongoing FBI investigation," the spokesperson noted. ®