Medical Supply Firm Hacked; Log Review Key to DetectionSecond Largest Business Associate Breach Reported So Far This Year
A hacking incident at a Nebraska-based medical supply company that affected more than 21,000 individuals ranks as the second largest business associate health data breach reported so far this year to federal regulators.
The incident offers a reminder of the potential risks third parties pose to patient data and highlights the value of log reviews in detecting intrusions.
In a breach notice, CBS Consolidated Inc., which does business as Cornerstone Business & Management Solutions, says that on July 10, during a routine review of systems logs, the company discovered an account on its server that it did not recognize. The company says it determined the account was downloading information stored on the server, including personal information about patients using its medical supplies.
The exposed information includes names, addresses, dates of birth, and insurance information, "which may include a Social Security number if you had coverage through Medicare for the durable medical equipment and supplies," the company says.
Cornerstone says that when it discovered the intrusion, it immediately locked the server and isolated it from its network. "We were able to restore our system using unaffected backup copies and continue providing services to patients," the company says in its notice. "We have been monitoring the system, and to date, we have found no evidence of any recurrence of the incident. We are still investigating the incident to determine how the account accessed our system."
The company also says it's identifying ways to increase its security measures to prevent future incidents. These measures include new administrative safeguards, such as developing additional policies and procedures and further training of its staff, as well as implementing additional technical safeguards.
Cornerstone is offering affected individuals 12 months of free credit and identity theft monitoring.
The company did not immediately respond to Information Security Media Group's request for additional information about the breach.
Business Associate Risks
The incident at Cornerstone serves as a reminder for all covered entities about the risk business associates can pose to patient information.
"Covered entities should step up their examination of their business associates' HIPAA compliance levels," says Susan Lucci, senior consultant and chief privacy officer at the security consultancy Just Associates.
"This not only gives [covered entities] a greater sense of trust that their protected health information is being adequately protected, it also raises the bar for all business associates to be sure they are doing all they can to have a rock-solid compliance program."
Business associates will always introduce some level of risk to covered entities, notes Keith Fricke, principal consultant at tw-Security. "CEs should be assessing risk of their BAs as best they can," he says. "It may not be reasonable for a CE to assess all its BAs. Therefore, a good rule of thumb is to start with assessing BAs that manage a large amount of the CE's PHI or have remote access into the CE."
Other BA Breaches
The Cornerstone breach was reported to the U.S. Department of Health and Human Services on Sept. 5 as a hacking incident affecting 21,856 individuals. The only larger breach involving a business associate that's been added to the HHS tally so far this year is an unauthorized access/disclosure incident reported on June 27 by Indiana-based Enterprise Services LLC, affecting about 56,000 individuals.
As of Sept. 19, 15 data breaches involving business associates, affecting a total of 183,000 individuals, have been reported this year, according to the HHS' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame", the website lists health data breaches affecting 500 or more individuals.
Since September 2009 when HHS began keeping track, 315 major breaches involving business associates, affecting a total of nearly 26.2 million individuals, have been reported to HHS. That's about 15 percent of the total 2,060 breaches reported to date.
The largest BA-related breach to date involved Science Applications International Corp.. That September 2011 incident involved the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals.
The Value of Analyzing Logs
The Cornerstone breach points to the value of reviewing system logs to identify intrusions, says Lucci, the consultant.
"My perspective on this is that log review is an essential component of being on guard for inappropriate activity," she says. "Part of an intrusion detection program includes monitoring networks and management systems and logs more frequently. Policy should support the frequency of review and new 'accounts' that were not set up by a system administrator should be identified the same day."
Kate Borten, president of the privacy and security consultancy The Marblehead Group, offers a similar perspective. "Not only is user account review a good practice, but also the HIPAA Security Rule requires CEs and BAs to periodically review all computer accounts that could give access to PHI," she notes. "It is not clear whether this BA [Cornerstone] routinely reviews all its accounts, but such a process would have identified and disabled the account and should have led to an investigation as to how the account had been created. Unfortunately, user account review is often overlooked or done so infrequently that it loses some value."
Every organization should implement a regular procedure for reviewing all computer accounts, not just those giving direct access to PHI, Borten stresses. "Every account should be verified as legitimate, whether for an individual or a process. Further, the access permissions associated with each account also should be verified as the minimum necessary."
A Big Job
The volume of log entries generally is far too large for manual review, Fricke says. "Even if they could keep up, it has to be a 24x7 job. The recommendation is to outsource log review to a company that has the technology and staffing to review logs and, more importantly, respond to automated alerts," he says.
Preventing intrusions such as what Cornerstone experienced "goes back to the basics - patch vulnerable systems and use defense-in-depth strategies to reduce the likelihood of unauthorized access," Fricke notes. "Given there was an unknown account found on the server, the intruder found a way to access the server, elevate privileges on the server and create the account in the same way an authorized system administrator would."