http://www.nandotimes.com/technology/story/13270p-269250c.html The Associated Press WASHINGTON (May 22, 2001 09:04 p.m. EDT) - Security experts will tell Congress on Wednesday that the agency controling Medicare lacks enough computer security personnel to oversee the agency's many contractors and maintain the integrity of its networks. The Health Care Financing Administration contractors were "outright obstructive to providing sound security," wrote Michael Neuman of En Garde Systems of Albuquerque, N.M., in a prepared statement to legislators. The testimony will be given to a House oversight subcommittee looking into whether private medical information held by the government is secure from hackers. Medicare provided health insurance for about 39.5 million elderly and disabled Americans at a cost of approximately $215 billion last year. En Garde and other security companies were paid by HCFA to test its computer networks between 1997 and 2001. All of the companies found significant security weaknesses during their tests. The oversight committee's chairman, James Greenwood, R-Pa., called for the agency to do better. "HCFA must improve the basics of security management," Greenwood said in prepared remarks. Neuman complained that it took HCFA a year of negotiations to lay down the ground rules for their latest security test, and that En Garde was not allowed to touch certain systems during its tests, making the test results "unrealistic." But even with the restrictions, En Garde had little trouble breaking in. "Using an extremely old, very well known vulnerability in the WWW server software, we were able to gain access to HCFA's Web server without any more technical expertise than it takes to point and click," Neuman said. From there, the security team could easily break into HCFA's internal network. If a disgruntled former employee or outside hacker attacked HCFA in the same way, Neuman said, it could put millions of medical records and billions of dollars at risk. Other security companies had similar experiences. "In its attempts to successfully subvert several user and administrator passwords, Allied Technology discovered blank, easily cracked and poorly managed passwords, both from user and administrator accounts," one report from a March 2001 test states, adding that no security updates were found on HCFA's computers. A representative from HCFA's inspector general's office, which serves as a watchdog department, wrote to lawmakers that the agency is aware of the problems. In February, the office cited 124 weaknesses on government and contractor computers that left data about Medicare recipients vulnerable. The report listed faulty passwords, lack of security plans and other problems at Medicare's central office. But officials still have no idea if they've been attacked. "While all of these weaknesses are troubling," wrote assistant inspector general Joseph E. Vengrin, "we do not know whether the resulting vulnerabilities have been exploited in terms of compromised medical information, fictitious Medicare claims, diversion of taxpayer dollars, or some other type of fraud or abuse by an 'insider' or a hacker." ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Wed May 23 2001 - 00:20:53 PDT