Friday, December 20, 2013

Another Reason to Put Everyone's Confidental Medical Information Into Today's Massively Secure (Surely They Are, No?) EHR systems

Office of Inspector General
Department of the Treasury
Oct. 17, 2013

Audit report

INFORMATION TECHNOLOGY: OCC's (Office of the Comptroller of the Currency) Network and Systems Security Controls Were Deficient

PDF available at: http://www.treasury.gov/about/organizational-structure/ig/Audit%20Reports%20and%20Testimonies/OIG-14-001.pdf

Highlights:

... To accomplish our objective, we performed a series of internal and external vulnerability assessments and penetration tests on OCC’s workstations, servers, network-attached peripherals (such as cameras and printers), infrastructure devices, and Internet websites.

... We determined that OCC’s security measures were not sufficient to fully prevent and detect unauthorized access into its network and systems by internal threats,or external threats that gained an internal foothold. Also, OCC’s security measures were not adequate to fully protect personally identifiable information (PII) from Internet-based threats.

We found that default factory-preset administrative usernames and passwords were present in OCC’s systems. In one test we conducted, we discovered a default username and password of an internal service account on an OCC server which had local administrator privileges. We used those privileges and deployed our penetration test tool’s agents to the host server. That server contained password hashes for local and domain administrator accounts. Using these hashes, we obtained a domain administrator’s password, which we then used to log on to the network domain controller. With full access given to a typical domain administrative account, we created a domain administrator account and thereby had full control of OCC’s network.

... In accordance with our Rules of Engagement, we did not attempt to perform actions that would disrupt OCC’s operations, such as deleting data, powering off servers or other resources, locking out accounts, and similar activities, any of which could have resulted in interruption or shutdown of devices or services. However, malicious attackers would have no such restrictions against performing these actions

... Because systems and devices connected to OCC’s internal network could freely communicate between one another, with very little internal partitioning, we successfully attacked multiple OCC systems in a very short amount of time from a single workstation.

I offer no additional comments other than, if Treasury's IT security is this lax, just imagine how secure your health information is, sitting on servers at Podunk Hollow General Hospital.

-- SS

2 comments:

Steve Lucas said...

One word: Target.

Steve Lucas

Steve Lucas said...

It was reported yesterday that some of the 40 million records of full names, credit card numbers, and security codes from the Target hack were for sale on the black market.

Steve Lucas