Thursday, January 28, 2016

Centene Corp loses health information for 950,000 patients

Ask yourself: are your IT policies promoting unsafe use of external drives?  What's the potential cost?

The Centene Corporation announced that it has lost health information for about 950,000 patients, though with a nice round number that high I get the feeling they don't really know.


Recently, it's been reported that your health data is worth more to criminals than stolen credit cards.  Many times criminals will use this data to perpetrate medicare or insurance fraud to cash out.  In any case, once your health data is out there, you can't get it reissued like you can a credit card.

Although Centene doesn't elaborate on the type of hard drives lost, I'd like to suggest that these were probably external drives.  At Rendition Infosec, we certainly see lots of external (mostly USB) drives attached to computers at client sites.  And quite frankly it makes us cringe.  But why would anyone want to store sensitive data on an external drive?  After all, they are usually very slow and have higher failure rates than internal drives.  And let's be fair, they are 1000% more likely to be lost/stolen than internal drives.

In interviewing clients who rely on external drives, we usually find that they are using them for convenience.  In many cases, getting corporate approved storage on a NAS or a SAN is very expensive for the department.  And when IT provisions corporate machines, they usually have very small hard drives.  The latter makes sense, we want users to save files on the corporate storage where it is centrally backed up and large workstation hard drives work against that.

But at one recent client, we found that the cheapest a department can purchase "corporate approved storage" for is $2,000 TB.  Let that sink in for a second.  At $2k/TB, you can totally expect people to look elsewhere.  A quick check on Amazon shows that I can buy a 5TB USB hard drive for less than $130.  Compared to what this client's IT department charges for storage (albeit faster, accessible, and more secure) that's a savings of $9,870.  You don't need a PhD in psychology to know what most people will do when faced with such a price disparity. Of course, that external USB drive is more likely to be lost than most NAS devices and since it was deployed by an end user, it is probably not encrypted.

The Centene breach should highlight the need for sensible IT policies. If your IT policies are driving your users to unsafe behaviors, work with the organization to change those policies to drive users to sensible, secure behaviors.

1 comment:

Note: Only a member of this blog may post a comment.