Analysis of Virginia’s Prescription Drug Database Breach

By: Seth A. Cowand, CISSP
Chief Information Security Officer (CISO)
Cooperative Management and Consulting (Cmac)

After I heard about the Virginia Prescription Drug Database breach, I was very curious about what is going on. What is happening?

Several quotes and statistics in news reports stuck out like a sore thumb, and confirmed what I have known for a while, but most in healthcare may not know. It then occurred to me that I needed to share this information and provide a little analysis of what this data breach means to the healthcare industry, and to healthcare information assurance field.

So first of all…what happened? Based on news reports, it appears that the Virginia database that holds millions of prescription records was compromised, records stolen, and the web page defaced with a ransom posted. According to Gov Timothy M. Kaine (D), Virginia, “It’s difficult to foil every criminal that may want to do something to you.” Emily Wingfield, chief deputy director of the Department of Health Professionals, “the database contains 31.3 million prescription records and 1 million records are added monthly”. Both of these quotes say a lot about the state of healthcare, and healthcare security. It states that as the government and industry pushes forward with electronic health records, the risk, vulnerability, and security of these records (our records that are in the care, custody, and control of others) are increasing.

Nefarious people and organizations target specific records (i.e. celebrity records being compromised), groups of records (i.e. Virginia database), or organizations (i.e. Commonwealth of Virginia) for various reasons including extortion. If you want to know what we need to do about it, we first need to answer: Is it worth the risk to have the most sensitive of information in electronic format and on the web? Then we have to ask, what do the custodians of these records have to do to protect the privacy and security of the records? The answer to number one is a political issue, and constituents need to voice their opinion to their elected officials. The answer to number two is to take a comprehensive view and assessment of the environment containing these records.

How did this occur? Until the authorities publicize their findings and investigation results we will never know. But we can read between the lines. Patricia Paquette, DHP's technology director, stated “the DHP's computer system -- which includes firewalls and backups -- is one of the most secure in state government”. Really????? Then why did this happen? I would suggest that the devils-in-the-details and that Ms. Paquette, a technologist, is not looking at the non-technology issues when trying to explain what happened. Security is a people problem…not a technology problem. Is this a money problem? Possibly. A technology problem? Maybe. What about a zero day exploit (a vulnerability that a hacker knows about but the security industry does not yet)? That is possible too.

According to Virginia Gov. Tim Kaine (D), “the breach indicates that the state needs to "create more sophisticated security." Maybe Gov Kaine is aware of something that is not being released, but I would suggest a comprehensive look at the DHP information assurance program before making definitive recommendation on what needs to be corrected. Information assurance is holistic, and looks at training, policies, procedures, technology, as well as environmental issues when assessing whether data (i.e. health data) is ‘secure’. The point I am trying to make is summarized well by Del. L. Scott Lingamfelter (R-Prince William) who stated, "I have some question as to whether there is a comprehensive approach to cyber security in the commonwealth.''

My advice to the Governor and the Commonwealth leadership is to look at information security from a holistic and comprehensive viewpoint, and hire a third party, qualified, independent, information assurance assessor based on the Federal Trade Commission (FTC) requirements for similar assessments. You may be shocked to see what you find!

For further information please visit www.cooperativemac.com

References:

San Francisco Chronicle. http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2009/05/12/financial/f150940D35.DTL

Washingtonpost.com. http://www.washingtonpost.com/wp-dyn/content/article/2009/05/07/AR2009050702515.html


and


http://www.washingtonpost.com/wp-dyn/content/article/2009/05/12/AR2009051201934.html