Pertinent Log Management
In recent history there have been rather extensive and significant breaches affecting millions of people. This action has provided criminals with a rather extensive amount of data to sell and resell on the darkweb. This has a rather substantial effect on the affected consumers. They have three options to deal with this. The consumers may do nothing and hope the criminals do absolutely nothing with the personal data. This is not the optimal situation and hardly could be recommended. The alternative is an affirmative defense of freezing one's credit or contacting with a service to monitor their credit.
For the breached party, the consequence is a bit more serious, especially in the healthcare industry. Granted data was still exfiltrated, however in this case there are also healthcare records in addition to the usual records, inclusive of the SSN. At this point, the HIPPA statute penalties may become an issue. On an alternative front, the entity may face civil lawsuits from the consumers. This, based on the number of the clients affected, may be millions of dollars.
A recent example of a breach gone really bad occurred with eClinicWorks, an electronic health records (EHR) vendor. There is presently a class action suit for nearly $1B based on the firm's software allegedly not being able to provide reliable health information for the patients. This directly would affect millions of patients. Effectually the patients have the "opportunity" to monitor their credit reports, health insurance reporting, and too many other data points to regularly monitor for abuse.
This was only a portion of the issue however. The firm also agreed to a $155M settlement and entered into a five-year corporate integrity agreement with the Department of Health and Human Services Office of the Inspector General.
These relatively serious legal proceedings were initiated after the business allegedly did not adhere to its claim of meeting the HTIECH Act EHR incentive program's certification requirement. Per the civil suit, the claim was the incorrect medical data was displayed, multiple patient's data shown at the same time, incorrect medical histories were displayed, and pertinent to the InfoSec field, the audit logs did not accurately record the user's actions, and other issues.
These deficiencies and oversights have led to a financial repercussion for the business, reputational risk, and potential loss of revenue for future time periods. Germane to the InfoSec industry is the log issue. With the lack of operational security stance, the logs are virtually useless and cannot be depended on. With these providing inaccurate user action logs, these would not be useful and be pointless.
Unfortunately, this is not an isolated case. Examples of poor coding and data flows are in the industry creating issues for business and the consumers.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.