LOL. I have no background in infosec, so I was hoping to get some input on a very strange thing that has come up involving my local health service provider.
Any input would be swell!
-
A case study on how to screw up big time
Consider the following scenario:
- A health service provider has been operating a non-production environment populated with over 5 million identifiable patient records.
They use the non-production environment for training and they are the only provider in their state to not have a dedicated training environment for these purposes.
They used the non-production environment to train about 25,000 people on how to utilise their eMR. The training included learning how to search for patient records.
During the training, they handed out throwaway login credentials e.g. user101:password101 that weren't linked to any user.
All their access logs prior to say, 2015 are missing because they had accidentally disabled the logging functionality.
They never audited the system. This is a shame, because had they bothered to do so once in a while, they would have how monumentally they had screwed up.
The funniest thing is that from the Chief Executive on down the agency claims that it has been in full compliance with the privacy legislation.
1. What is the most serious thing that has been done?
I think disabling the access logs is the worst in tandem with the use of throwaway login credentials.
2. If this has happened, what would you look for if you were given an opportunity to search the crawlspace?
As I know very little about infosec, these are my thoughts. The next step would be to determine if the non-production environment was remotely accessible, whether 2FA was required, and if health records could be exported remotely. My thinking is that if this has happened someone could remotely access the environment and create a dump of the health information, with no trace of this having happened existing due to the absence of logs.
I also think that if they handed out user101:password101, then this is something the IT Department also did.
3. How serious is this in terms of frequency?
I have asked a friend who works in the financial sector and he said he has never heard of anything like this but he hasn't been working in the industry that long. Is this something you might hear about once a week, once a month, or perhaps once a year? And when I say hear about, I mean in your workplace?
