Written By Craig Hand And Presented By Ziften CEO Charles Leaver
UCLA Health Data Breach Probably Down To Poor Security
UCLA Health announced on July 17th 2015 that it was the victim of a health data breach impacting as much as 4.5 million healthcare customers from the four health centers it runs in the Southern California area. According to UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed however no evidence yet suggests that the data was stolen. This data went as far back as 1990. The officials likewise mentioned that there was no evidence at this time, that any charge card or monetary data was accessed.
“At this time” is key here. The information accessed (or potentially taken, its certainly difficult to know at this moment) is virtually great for the life of that individual and potentially still useful past the death of that person. The details readily available to the perpetrators consisted of: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical treatments performed, and test outcomes.
Little is understood about this cyber attack like so many others we find out about but never hear any genuine details on. UCLA Health discovered uncommon activity in sections of their network in October of 2014 (although access potentially started one month earlier), and instantly called the FBI. Finally, by May 2015 – a full 7 months later on – investigators stated that a data breach had occurred. Again, officials claim that the opponents are probably highly advanced, and not in the United States. Finally, we the general public get to find out about a breach a complete 2 months later on July 17, 2015.
It’s been stated lots of times before that we as security professionals have to be correct 100% of the time, while the bad guys only need to discover that 1% that we may not be able to correct. Based upon our research about the breach, the bottom line is UCLA Health had inferior security practices. One reason is based upon the basic truth that the accessed data was not encrypted. We have had HIPAA now for a while, UCLA is a well-regarded bastion of Higher Education, yet still they failed to secure data in the most basic methods. The claim that these were highly advanced individuals is likewise suspect, as so far no genuine proof has actually been produced. After all, when is the last time that an organization that has been breached declared it wasn’t from an “sophisticated” cyber attack? Even if they claim they have such evidence, as members of the public we will not see it in order to verify it appropriately.
Because there isn’t really enough disclosed information about the breach, its difficult to identify if any solution would have assisted in finding the breach earlier rather than later. Nevertheless, if the breach started with malware being delivered to and launched by a UCLA Health network user, the possibility that Ziften could have helped in discovering the malware and potentially stopping it would have been fairly high. Ziften could have likewise notified on suspicious, unknown, or understood malware as well as any interactions the malware might have made in order to spread out internally or to exfiltrate data to an external host.
When are we going to learn? As we all know, it’s not a matter of if, however when, organizations will be breached. Smart organizations are getting ready for the inescapable with detection and response solutions that reduce damage.