Hackers may have gotten to Virginia health professions computers
Hackers may have infiltrated computers containing licensing information on doctors, nurses and other professions overseen by the Virginia Department of Health Professions.
By yesterday afternoon, all 36 computer servers storing the state agency's records were shut down after a midday message popped up on some computer screens that implied the system was being hacked.
The situation was being investigated as a security breach and possible criminal matter.
"Part of the system may have been hacked," said Sandra Whitley Ryals, director of the state agency that oversees licensing of health professionals, including doctors, nurses, dentists, funeral directors, physical therapists, social workers and others.
"We are trying to verify that. That is why the precautionary measure was done to shut the entire system down."
Ryals said they have no reason at this point to think the problem went beyond one server on which the initial message came up.
That shutdown meant employees could not send or receive e-mail or use their Web browsers, and for a time some telephones were not working.
"According to our security plan, we have notified the state police," Ryals said.
Any health professionals trying to log on to the agency's Web site yesterday afternoon to renew their license likely got a hanging hourglass or message error.
Ryals said state police investigators along with information technology experts from Northrop Grumman and the Virginia Information Technologies Agency and the agency's own technology staff were working on determining whether there was a security breach.
"It's a shock to our system not to have the electronic availability, but we are able to receive calls," Ryals said.
Ryals said about 80 percent of the board's approximately 300,000 licensees renew online.
"Ideally, you don't wait until the last day." People can renew over the phone, she said.
She said they were still trying to determine whether personal details such as Social Security numbers were compromised.
Contact Tammie Smith at (804) 649-6572 or
.
Advertisement
Reader Reactions
Eleazar almost knows what he/she is talking about, NOT! VSP and other state agencies are not delaying transformation activities! They are not transforming because they have security requirements that no one at the CESC can meet. Would you want someone like Eleazar to have access to your personal data when he/she clearly does not understand IT Security? NO, you would want to make sure that everyone at the CESC that is going to have access to classified data meets the security requirements of your agency. So if the CESC DOES NOT already have these “state-of-the-art” systems in place, then shame on them! Security should have been in place before any systems were housed at the CESC. I say bring on the investigations! I suspect Eleazar works at the CESC! If this is to be true, then I think all agencies should fight transformation. This is not the first time there has been a breach of security of a system in the Partnerships hands and unfortunately, I am sure it will not be the last. We all know they have outages! This contract is driven by money, if these agencies don’t transform, NG doesn’t get paid. They have deadlines. Unfortunately, security gets in the way!
The Department of Health Professions has not yet been “transformed” to the Partnership infrastructure, (if the article’s assertion that the agency lost its email and other services by shutting down its servers is correct.) The Partnership is only completing its third year of operation, so while Northrop Grumman may have been in position to “understand state agency networks” they have only been in position to do anything for less than three years, contrary to FrannyL’s assertions; and again, DHP is operating on its pre-Partnership systems. As to her comment about State Police, the delaying tactics that VSP and other agencies have practiced have actually delayed the state’s progress to the state-of-the-art systems and security that could have prevented this incident. I say, bring on the investigations, but if an agency has obstructed the progress of transformation, the people responsible should also be held accountable.
FrannyL: Having retired after a career of over 25 years in Info Technology that culminated with a considerable umber of years involving IT security assessment in a nationwide environment, I am all too aware of the reckless disregard of security in the rush to implement projects which often are poorly planned, woefully behind schedule, fail to comply with specs, and inadequately monitored by the system owner. Were it not for the ethical breech my divulging information gained during my involvement with such projects would represent, I would cite several specific examples -one on a national scale. The “Partnership”, and especially external entities, should never be left in a position in which they can compromise security - they require the constant robust oversight and vigilance of the system owner!
Given the circumstances you cite which could probably be easily confirmed, it would seem that an investigation by the Attorney General and Auditor of Public Accounts might be in order. Hopefully the contractual documents that formed the partnership and govern the projects producing the security exposures includ penalties for such wanton disregard for maintaining a secure environment.
Dogtown, what you speak of is actually in play already. A Northern Virginia group is actively doing this already. But the problem here is that security is being compromised by the partnership to meet deadlines on their contract. The partnership has had more than five years to fully understand the state agency networks, but they dropped the ball in this area. Now they are rushing the project along and causing a lot of issues like this. This means “back-dooring” agency networks, getting rid of most the knowledgeable workers at each agency, and skirting security measures already in place in efforts to show progress quickly, and more importantly, MAKE MONEY off the State of Virginia. This is just one of many that actually got media coverage. Right now there are more agencies in this situation. Virginia State Police has had it right all along: Keep the partnership at arms length. VITA and Northrop Grumman do not understand public safety. Look for more gaffes in the future.
It would be a useful exercise for an objective qualified external agency at the instigation of the Auditor of Public Accounts to perform an audit the scope of which examines existing controls, the adequacy of previous audits, and whether findings of previous audits were timely and adequately addressed. The results and confirmed corrections actions should be publicly reported to the extent possible without divulging specific information which would aide hackers.
Security of never 100%. However, there have been far too many assertions of successful intrusion in the the Commonwealth’s systems recently.
Security is of utmost importance to all state agencies. I’m sure the IT audit staff at the Auditor of Public Accounts will launch an investigation separate from their yearly audit.
All systems have the ability to get hacked. Security is not 100% on any system.
The state conducts internal audits every year and the IT partnership also conducts their own audit every year. It’s what they DO about it that counts.
Is the apparent inadequacy, failure, or absence of effective information security controls not something Virginia’s citizens should have expected would have been remedied by the massive expenditures in outsourcing Information Technology to Northrop-Grumman?
One wonders about the security of all state IT systems and how one of the senior people responsible for the Commonwealth’s IT activities could be qualified for his recent Presidential appointment.
This breech of security should serve as an impetus for an immediate independent and full IT security audit by an outside organization having a proven record in the effecive assessement and remediation of security controls in complex, critical, IT systems and networks. Those responsible for failures that result in credible adverse findings should be demoted or terminated.
Post a Comment(Requires free registration)
- Please avoid offensive, vulgar, or hateful language.
- Respect others.
- Use the "Flag Comment" link when necessary.
- See the Terms and Conditions for details.
Advertisement