[ISN] Medica ignored warnings, says ex-employee

[InfoSec News]

http://www.startribune.com/stories/462/5481317.html

Glenn Howatt
Star Tribune 
June 29, 2005

The former manager of computer security for Medica Health Plans said
the company ignored repeated warnings that its information system was
vulnerable to attack and abuse.

Scott Charleson, the health plan's security engineer until early 2004,
said Medica didn't act on his recommendation to "lock down" the
computer system and protect sensitive information, including personal
information about Medica's 1.2 million members.

That and other measures could have prevented two Medica computer
administrators from allegedly sabotaging the company's computers and
downloading data earlier this year, Charleson said.

"I left the company in January 2004 because it was clear to me that
they had no intention of taking action on serious security issues
until something blew up," he said.

Officials of the Minnetonka-based health plan denied that they skimped
on security during Charleson's tenure. The two accused employees were
fired and Medica sued them in April. They have not been charged with a
crime.

"We detected something happened, we analyzed it, investigated it ...  
and took appropriate action," said Chris Grillo, Medica's director of
information security.

Still, it took Medica's security investigators at least 45 days to
detect problems and another 20 days before the company took direct
action to stop the employee alleged to have done the most damage,
according to court documents.

During that time, the system was sabotaged four times, limiting
legitimate access by employees and vendors. Confidential business
documents were copied, including personnel information about the
information technology department as well as letters to outside
attorneys concerning lawsuits, according to court documents.

Evidence destroyed

The perpetrators knew they were being tracked because they read the
e-mails of security investigators. They found and used a secret
account and password that the investigators had created to stabilize
the system. Instead, the account was used to disable the accounts of
12 employees, the documents said.

And even after Medica had identified the suspects, they erased the
hard drives of their company laptops without interference, destroying
critical evidence, according to court documents.

Charleson said it shouldn't have taken Medica two months to find and
stop insiders from creating computer havoc.

He said such companies should have programs in place to "watch the
watchers," the systems operators who have the most opportunity to
cause damage.

Charleson said he wanted to hire an outside company to test Medica's
security.

"Not once, from December 2001 to January 2004, was there a security
audit by a third-party security company," he said.

Charleson said his proposals were never vetoed outright. But as top
managers kept delaying decisions, he grew more concerned.

"I know that I am missing attacks on our network," he wrote in a memo
in 2002 to his supervisors. "Maybe they are not successful, maybe they
are and we just haven't found it yet. Either way, it's my worst
nightmare."

Medica defense

Medica officials disagree with Charleson's assessment of the company's
computer security then and now. But they acknowledge that there were
disagreements at the time about how to improve security.

"Were there differences of opinion about how to handle that? There
probably was," said spokesman Larry Bussey. "But from the highest
levels on down, security was an issue that people cared about and
committed to."

Grillo said that since he became security officer in March 2004, the
system has been tested several times through internal and external
audits. Most recently, an outside auditor found Medica to be in
compliance with federal standards requiring health plans to protect
member privacy.

"I have been with Medica now for a year and a half, and the security
mindset is excellent compared to what I've seen in other industries,"  
said Grillo.

In response to this year's security breach, Medica has tightened its
hiring practices and has limited broad administrative access to the
system.

In the end, Medica did find the alleged perpetrators, and even though
it is not completely certain about what information was downloaded,
the evidence suggests that it did not include personal information
about Medica members.

Detection difficult

Grillo said Medica has and did have all of the safeguards that
Charleson proposed.

"The hardest thing to do is detect an authorized person doing
unauthorized things," Grillo said.

One of the former employees, he said, was in charge of the company's
e-mail system. Periodic audits would have found that sensitive e-mails
were being copied, he said, but immediate detection would be possible
only if the company scrutinized every keystroke the employee made.

Medica said it has enough evidence to prove that the two former
employees were responsible for the security breaches.

However, attorneys representing the employees, Austin Vhason and
Pushpa Leadholm, have said the shortcomings of Medica's system will be
an issue for the defense.

Court papers filed on behalf of Leadholm allege that Medica didn't
take appropriate steps to protect its secret and confidential data,
leaving the door open to countless electronic intruders and calling
into question whether the system has recorded enough electronic
fingerprints to point to the real culprits.

Both employees denied any wrongdoing. In its suit, Medica seeks to
recover the downloaded data, inspect the two suspects' home computers
and recover the costs of detecting the security breaches.