Premera’s IT Security Audit Report Revealed Lack of Multi-Factor Authentication
Back at the end of November 2014, the Office of Personnel Management (OPM) released an IT security audit report on the state of Premera’s security profile, noting a gap in access controls. A few months later, Premera discovered a breach of their systems that may have compromised the medical and financial data of 11 million individuals.
The audit found that Premera didn’t use multi-factor authentication to protect physical access to their computer room located at its Washington-based data center. Premera did end up implementing two-factor authentication after the audit was issued, but by that time, the attackers were reportedly already in their systems - on their website, they report that the attack started May 5, 2014, and wasn’t discovered until late January. The company implemented controls at the end of December.
Also, there was no word of whether or not they employed two factor to protect logins to internal applications or networks, which can help prevent not only remote attacks, but also deter the success of lateral movement within a company’s networks.
As the OPM noted in the report, two-factor authentication is typically seen in use at data centers, as it provides both physical and technical security at a facility that houses a ton of sensitive data - that is, private patient and financial data of Premera customers. Managed hosting providers that colocate servers or provide cloud computing services to many different clients are usually subject to many different data security regulations.
One oft-cited case involving a host and a catastrophic data breach is the unfortunate attack on the company Code Spaces, a Subversion (SVN) and Git hosting provider. Last summer, an attacker got access to the company’s Amazon Web Services (AWS) cloud management console, a web-based interface that allows organizations to manage their cloud accounts.
After changing the console’s password, the attacker deleted numerous cloud storage volumes, backups and snapshots, effectively wiping critical components of their infrastructure. As a result, all of Code Space’s clients were affected, and the company went out of business. This shows how the inability to secure virtual and remote access to a cloud hosting account can prove disastrous to business survival. Learn more in Protecting the Cloud with Two-Factor: AWS Authentication Security for IaaS Providers.
The report also found that Premera’s password policy didn’t limit time between password changes, allowing users to bypass their policy by changing their password a few times within a short time, and then reusing their original password.
A few other areas of concern included their network security controls - despite a patch management policy put in place, OPM’s scans found that patches weren’t being implemented in a timely manner. They also had no way of knowing if outdated or unsupported software was in use, and a number of insecure server configurations were also identified.
Other weaknesses in their security posture include the failure to perform a complete disaster recovery test for all information systems, which is fairly common as full disaster recovery plans are often costly, time-consuming and difficult to carry out.
Finally, the report stated that there was nothing that came to the auditor’s attention to cause them to believe Premera wasn’t in compliance with HIPAA regulations, suggesting that compliance doesn’t always mean sufficient security.
While certainly not the worst security offenses out there, a combination of lax controls can add up quick. Learn more about how to protect against a similar healthcare attack in our guide to securing healthcare data.