[ISN] Congress to hear status report on Medicare's computer security

From: InfoSec News (isnat_private)
Date: Tue May 22 2001 - 23:50:21 PDT

  • Next message: InfoSec News: "[ISN] New MS-Word macro warning"

    The Associated Press 
    WASHINGTON (May 22, 2001 09:04 p.m. EDT) - Security experts will tell
    Congress on Wednesday that the agency controling Medicare lacks enough
    computer security personnel to oversee the agency's many contractors
    and maintain the integrity of its networks.
    The Health Care Financing Administration contractors were "outright
    obstructive to providing sound security," wrote Michael Neuman of En
    Garde Systems of Albuquerque, N.M., in a prepared statement to
    legislators. The testimony will be given to a House oversight
    subcommittee looking into whether private medical information held by
    the government is secure from hackers.
    Medicare provided health insurance for about 39.5 million elderly and
    disabled Americans at a cost of approximately $215 billion last year.
    En Garde and other security companies were paid by HCFA to test its
    computer networks between 1997 and 2001. All of the companies found
    significant security weaknesses during their tests.
    The oversight committee's chairman, James Greenwood, R-Pa., called for
    the agency to do better.
    "HCFA must improve the basics of security management," Greenwood said
    in prepared remarks.
    Neuman complained that it took HCFA a year of negotiations to lay down
    the ground rules for their latest security test, and that En Garde was
    not allowed to touch certain systems during its tests, making the test
    results "unrealistic."
    But even with the restrictions, En Garde had little trouble breaking
    "Using an extremely old, very well known vulnerability in the WWW
    server software, we were able to gain access to HCFA's Web server
    without any more technical expertise than it takes to point and
    click," Neuman said.
    From there, the security team could easily break into HCFA's internal
    network. If a disgruntled former employee or outside hacker attacked
    HCFA in the same way, Neuman said, it could put millions of medical
    records and billions of dollars at risk.
    Other security companies had similar experiences.
    "In its attempts to successfully subvert several user and
    administrator passwords, Allied Technology discovered blank, easily
    cracked and poorly managed passwords, both from user and administrator
    accounts," one report from a March 2001 test states, adding that no
    security updates were found on HCFA's computers.
    A representative from HCFA's inspector general's office, which serves
    as a watchdog department, wrote to lawmakers that the agency is aware
    of the problems. In February, the office cited 124 weaknesses on
    government and contractor computers that left data about Medicare
    recipients vulnerable.
    The report listed faulty passwords, lack of security plans and other
    problems at Medicare's central office.
    But officials still have no idea if they've been attacked.
    "While all of these weaknesses are troubling," wrote assistant
    inspector general Joseph E. Vengrin, "we do not know whether the
    resulting vulnerabilities have been exploited in terms of compromised
    medical information, fictitious Medicare claims, diversion of taxpayer
    dollars, or some other type of fraud or abuse by an 'insider' or a
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed May 23 2001 - 00:20:53 PDT