Written By Craig Hand And Presented By Ziften CEO Chuck Leaver
UCLA Health Data Breach Probably Down To Poor Security
UCLA Health announced on July 17th 2015 that it was the victim of a health data breach impacting as much as 4.5 million health care clients from the 4 hospitals it runs in the Southern California region. According to UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed but no proof yet suggests that the data was taken. This data went as far back as 1990. The officials likewise specified that there was no evidence at this time, that any credit card or monetary data was accessed.
“At this time” is key here. The info accessed (or potentially taken, its certainly hard to understand at this moment) is practically great for the life of that person and possibly still useful past the death of that individual. The details offered to the perpetrators consisted of: Names, Addresses, Telephone numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical procedures carried out, and test outcomes.
Little is known about this cyber attack like so numerous others we discover however never ever hear any real information on. UCLA Health found uncommon activity in sections of their network in October of 2014 (although access possibly started one month previously), and immediately got in touch with the FBI. Finally, by May 2015 – a complete 7 months later – detectives mentioned that a data breach had occurred. Again, officials declare that the hackers are more than likely highly sophisticated, and not in the country. Lastly, we the general public get to hear about a breach a complete two months in the future July 17, 2015.
It’s been said many times before that we as security specialists have to be right 100% of the time, while the cyber criminals just need to find that 1% that we may not have the ability to correct. Based on our investigation about the breach, the bottom line is UCLA Health had inferior security practices. One reason is based upon the simple fact that the accessed data was not encrypted. We have had HIPAA now for a while, UCLA is a well-regarded bastion of Higher Education, yet still they cannot protect data in the most basic methods. The claim that these were extremely sophisticated people is also suspect, as so far no real proof has actually been disclosed. After all, when is the last time that a company that has been breached declared it wasn’t from an “advanced” cyber attack? Even if they declare they have such proof, as members of the general public we won’t see it in order to verify it correctly.
Considering that there isn’t really enough disclosed info about the breach, its hard to figure out if any system would have helped in discovering the breach faster instead of later on. Nevertheless, if the breach started with malware being delivered to and executed by a UCLA Health network user, the likelihood that Ziften could have assisted in finding the malware and potentially stopping it would have been fairly high. Ziften might have also notified on suspicious, unknown, or known malware in addition to any communications the malware might have made in order to spread out internally or to exfiltrate data to an external host.
When are we going to learn? As all of us know, it’s not a matter of if, but when, organizations will be breached. Smart companies are getting ready for the inevitable with detection and response systems that reduce damage.