Audit Identifies Security Gaps 3 Weeks Before Historic Breach

Audit Identifies Security Gaps 3 Weeks Before Historic Breach

Arraya Insights | April 15, 2015

Time is of the essence when it comes to plugging gaps in your IT security. Just ask Premera Blue Cross. Last spring, federal auditors combed through Premera’s systems and uncovered a number of shortcomings. Flash forward three weeks: the issues hadn’t been addressed and hackers took advantage, potentially gaining access to the personal, financial and medical information of 11 million customers. That makes it the second largest healthcare data breach in history.

According to reports, hackers got into Premera’s system on May 5, 2014 and they went undetected until Jan. 29 of this year. Three weeks before the attack began, on April 18, Premera received a report from the U.S. Office of Personnel Management’s Office of the Inspector General outlining several vulnerabilities, including:

  • Patches were being implemented, just not in a timely manner
  • Methodology was missing to prevent unsupported or out-of-date software from being utilized
  • Server configurations were identified as not being secure by a vulnerability scan

Auditors listed a number of fixes they recommended that Premera make in order to bring its security environment up to the level it needed to be. These recommendations included:

  • Reconfiguring its information systems to ensure compliance with its password policy
  • Implementing procedures to ensure timely application of appropriate patches, service packs, and hotfixes to production servers
  • Remediating the technical weaknesses detailed in the vulnerability scanning audit inquiry issued during the audit
  • Routinely auditing all security configuration settings to keep them in compliance with the approved baseline
  • Subjecting all apps to routine disaster recovery testing

Premera promised to address the auditors’ concerns by Dec. 31, 2014. Of course, by that point it was already too late. Hackers had already had access to Premera’s systems for about eight months. A multi-state investigation into the breach is currently taking place.

A number of the items on the Feds’ punch list – including implementing updates and fixes on time and auditing security settings – should be standing items on IT’s calendar. However, they can also be among the first things dropped when IT gets overwhelmed with a number of other, more pressing projects.

That’s where Arraya’s Managed Services can help. Arraya’s team can take a wide range of tasks – from routine maintenance to more higher value items – off your IT team’s plate.

A Managed Services partnership with Arraya can result in simpler IT operations, a reduction in business disruptions and the peace of mind that comes with knowing someone has eyes 24/7 on the infrastructure services that support your business. Arraya’s experts are ready to work with your existing staff to chase down alerts, address issues, solve complex problems and manage requests across the full scope of your IT environment.   

Want to learn more about Arraya’s line of Managed Services? Reach out to your Arraya Account Executive, who can set up a meeting with our Managed Services team to evaluate your needs.  Not sure who your Account Executive is or looking to partner with Arraya for the first time?  Simply send us an email at info@arrayasolutions.com or contact us through our company website: www.arrayasolutions.com.

 If you want to learn about Arraya’s Managed Services and the latest cutting-edge offerings from industry-leading technology providers, register for The 2015 Arraya Tech Summit.

This free event will be held on June 4th, 2015 at the Sheraton Valley Forge in King of Prussia. It features courses geared specifically toward a tech-savvy audience, presented by Arraya’s renowned team of engineers. Attendees will have the opportunity to participate in deep-level technical discussions that focus on the issues and tools that matter most to today’s IT professionals. The lessons and skills you and your team will walk away with can propel IT to a whole new level, enabling the rest of the business to follow suit.

And don’t forget to follow us on Twitter, @ArrayaSolutions, for all of our latest company and Tech Summit news and offerings.