OIG: Obamacare Data Repository Had Security Flaws
Weaknesses Found in System Used for Data Analysis Have Been Addressed
… Some security experts say the security issues that OIG identified in MIDAS are relatively common at organizations across all business sectors and can put data at risk if not corrected.
“While the MIDAS database is outside of Healthcare.gov, it stores a lot of confidential information related to healthcare insurance,” says Tom Walsh, founder of consulting firm tw-Security. “In my opinion, this would make the database a prime target for hackers – a serious concern.”
… Securing databases, “especially from a backdoor attack – can be challenging for any organization,” Walsh says. “The front-end security of a database relies on the security controls of the application accessing the database. Programs continue to grow in complexity making code reviews more challenging. The security of the backend of the database relies on network and operating system security. The same interfaces that allow the database to exchange data with other systems can become an authorized pathway into the database.”
Steps to Take
Organizations can take several measures to address the kinds of weaknesses that OIG identified in MIDAS, as well as other common security issues in these types of systems, says Kerry McConnell, a principal consultant with tw-Security.
- Conducting periodic evaluations at technical and non-technical issues;
- Maintaining strong configuration and patch management for the server and storage;
- Implementing host-based intrusion prevention/detection systems;
- Implementing network-based intrusion prevention/detection systems;
- Deploying data loss prevention solutions where possible to detect information leaking from the organization;
- Maintaining tighter access controls for nonemployees, such as contractors;
- Carefully managing remote connectivity using secure connections, two-factor authentication, session timeouts and access log reviews;
- Hiring third parties to conduct vulnerability scans and penetration tests, but avoid using the same third party two years in a row;
- Managing those with elevated privileges, such as system and database administrators, by limiting the number of individuals with privileges, maintaining a list of those with elevated privileges, requiring strong passwords and/or implementing two-factor authentication and requiring background checks of elevated privilege users every two to three years.