- This topic has 3 replies, 4 voices, and was last updated 2 years, 7 months ago by Auswin Rojanasumapong.
-
AuthorPosts
-
-
2021-09-18 at 7:04 am #31393TARO KITAParticipant
This is a case study about a security breach of the health data of the residents in the state of Indiana. According to a press release issued by the Indiana Department of Health (IDOH), information of the residents, collected for an online contact tracing program to COVID-19, stored at the IDOH, was illegally accessed.
The state authorities immediately corrected a software configuration issue, and confirmed that the information accessed was not released to any other entity and was destroyed by the company that allegedly broke into the system.
The state authorities have promised to provide necessary protections and support for the impacted residents such as credit monitoring and regular scans to prevent the transfer of information, as well as establishing a call center.As a result of this data breach, residents’ privacy was improperly compromised. The breached data consisted of individuals’ names, addresses, email addresses, genders, race and ethnicities, and dates of birth. However, no substantial damage was reported so far, partly because the information did not contain social security or medical records.
The data breach was carried out by the company that intentionally looked for software vulnerabilities, reaching out to seek business. The technical details of the data breach, or software vulnerability, was not clearly disclosed in the press release, except for database misconfiguration.
The database misconfiguration is a system’s status that is inaccurately left insecure, putting the systems and data at risk. Any poorly documented configuration changes, default settings, or a technical issue across any component in the endpoints could lead to the status of misconfiguration.
It is expected that preventive measures will be taken, as the state authority said in its press release that the state takes the security and integrity of data very seriously.
In order to prevent such attacks, it is necessary to continuously assess vulnerabilities in the system, and ensure that the firewall is always active, and regularly update the software with security updates and patching that can resolve flaws or security holes in the system. -
2021-09-20 at 7:02 pm #31431Arwin Jerome Manalo OndaParticipant
Good read. An information that was publicized but not intended to be shared is still a breach of privacy, nonetheless.
I definitely agree that continuous assessment of system vulnerabilities is one of the major solutions for this kind of problem. In fact, it was the solution at the top of my head. I would like to add that limiting privilege rights would help in solving the problem – following the Principle of Least Privilege. Too many unnecessary privilege rights to unnecessary people is like widely opening the door to hackers.
-
2021-09-22 at 6:10 am #31465SaranathKeymaster
This shows that it is important for health informaticians to understand concept of system and database development, configuration. So that you can detect suspicious misconfiguration that may lead to data breach incidence.
-
2021-09-22 at 8:37 pm #31527Auswin RojanasumapongParticipant
I agree with you about continuously assessing vulnerabilities in the system. For the problem that you mentioned in the case study about the misconfiguration that left the system insecure, prevention might be easy as changing the default password of the network hardware from “user: admin, password:admin” to another username!
-
-
AuthorPosts
You must be logged in to reply to this topic. Login here