Written By Craig Hand And Presented By Ziften CEO Charles Leaver
UCLA Health Data Breach Probably Down To Inferior Security
UCLA Health announced on July 17th 2015 that it was the victim of a health data breach affecting as much as 4.5 million health care clients from the four health centers it runs in the Southern California region. As stated by UCLA Health authorities, Personally Identifiable Information (PII) and Protected Health Information (PHI) was accessed however no proof yet suggests that the data was stolen. This data went as far back as 1990. The authorities likewise specified that there was no proof at this time, that any charge card or financial data was accessed.
“At this time” is key here. The details accessed (or potentially stolen, its definitely hard to know at this moment) is essentially good for the life of that individual and potentially still useful past the death of that individual. The details offered to the criminals consisted of: Names, Addresses, Contact numbers, Social Security Numbers, Medical condition, Medications prescribed, Medical procedures performed, and test outcomes.
Little is known about this cyber attack similar to many others we find out about but never ever hear any genuine details on. UCLA Health found uncommon activity in sectors of their network in October of 2014 (although access potentially started one month earlier), and instantly called the FBI. Finally, by May 2015 – a complete 7 months later – detectives specified that a data breach had happened. Again, officials claim that the assailants are probably highly sophisticated, and not in the country. Finally, we the public get to hear about a breach a full two months later on July 17, 2015.
It’s been stated numerous times previously that we as security specialists need to be certain 100% of the time, while the cyber criminals only have to discover that 1% that we may not have the ability to rectify. Based on our research about the breach, the bottom line is UCLA Health had inferior security practices. One factor is based on the easy fact that the accessed data was not encrypted. We have had HIPAA now for some time, UCLA is a well renowned bastion of Higher Education, yet still they failed to secure data in the easiest ways. The claim that these were highly advanced individuals is also suspect, as so far no genuine proof has been disclosed. After all, when is the last time that a company that has been breached declared it wasn’t from an “sophisticated” attack? Even if they declare they have such proof, as members of the public we will not see it in order to vet it properly.
Because there isn’t really enough disclosed details about the breach, its difficult to figure out if any system would have assisted in finding the breach sooner instead of later on. Nevertheless, if the breach began with malware being provided to and executed by a UCLA Health network user, the likelihood that Ziften could have helped in discovering the malware and potentially stopping it would have been fairly high. Ziften might have likewise notified on suspicious, unidentified, or known malware as well as any interactions the malware might have made in order to spread internally or to exfiltrate data to an external host.
When are we going to learn? As all of us understand, it’s not a matter of if, but when, companies will be attacked. Smart organizations are preparing for the inevitable with detection and response services that reduce damage.