Premera Data Security Audit Report: Another Case Study in What Not-to-Do

Don Miller

Beating the drum for better data security practices relating to out-of-date software

For some time now, bTrade’s MFT Nation blog has been beating the drum about the importance of updating data security software.  The drum beat (our message) has been to avoid being penny wise and pound foolish–i.e., it’s generally wise economically to make regular investments in upgrades to data security software, rather than face costly expenditures and downtime when your out-of-date software eventually malfunctions.  The drum beat continued when news broke about the FTC vs. Wyndham case, which MFT Nation blog described as a “case study for what not to do in the rapidly changing world of data security.”

The drum beat continues with the release of a data security audit report from the federal government involving Premera Blue Cross

Premera is subject to such an audit because it handles claims for federal government employees.  The audit report noted several “areas of concern” and “opportunities for improvement” related to Premera’s “network security controls.”  Basically, the auditors found that “critical patches, service packs, and hot fixes are not always implemented in a timely manner,” and that no established “methodology” existed to ensure that “unsupported or out-of-date software is not utilized.”  The auditors found that Premera was using software “so old that they were no longer supported by the vendor and had known security problems.”

That’s not a good situation, as the auditors noted:

  • “Failure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached.”
  • “Failure to remediate vulnerabilities increases the risk that hackers could exploit system weaknesses for malicious purposes.”

The take away:  It’s generally wise economically to make regular investments in upgrades to data security software, rather than face costly expenditures and downtime when your out-of-date software eventually malfunctions

Premera has paid, and will continue to pay a steep price for running unsupported or out-of-date software:

  • Hackers stole PII (personally identifiable information) for 11 million current and former Premera customers, including names, dates of birth, Social Security numbers, addresses, banking information, claim information, and clinical information.
  • Premera customers are now at risk of identity theft, bank fraud, tax fraud and medical-identity fraud.
  • Premera is currently involved in five class-action lawsuits.
  • Several states are investigating Permera’s activities surrounding the data breach, including whether it failed to disclose the data breach to customers in a timely fashion, and the federal investigators can’t be too far behind.
  • The federal government audit report came several weeks before the data breach occurred, and Premera didn’t discover the breach for several months thereafter, which could subject Premera to punitive damages and statutory penalties for willful/reckless disregard for the privacy rights of its customers.

Simply put, it’s a mess.  Premera will suffer consequences that extend well beyond the cost and expense associated with the legal actions and regulatory investigations.  Premera will undoubtedly experience damage to its reputation and a decline in public confidence, which will adversely affect its competitive position and stock price.

Do yourself a favor.  Implement procedures and controls to ensure that production servers are updated with appropriate patches, service packs, and hot fixes on a timely basis.  Also, establish a methodology to ensure that only current and supported versions of system software are installed in the network environment.

bTrade Can Help

If you have questions or need assistance with your network security, please visit www.btrade.com or contact our data security experts at info@btrade.com.