son learned is ignored, the goal AC-3.1 or its sub-goals would be affected.
Step 4: Elaborate the Context and Strategy.
Since this security incident happened in the VA, the strategies and context infor- mation are the same, (i.e. the strategy is stated as “Argument over FISCAM”. The context used to explain the “FISCAM” in the strategy notation is stated as “Federal In- formation Security Controls Audit Manual”). Figure 4.2 presents the Generic Security Template built for VA 2007 data leakage incident.
In the VA 2007 data leakage incident, we have found two lessons learned that are similar to the VA 2006 data leakage incident with almost identical security issues and recommendations, which are “Sensitive Information” and “Administrative Actions”. It seems that VA has not effectively implemented the recommendations in VA 2006 data leakage incident to prevent them from recurrence. One lesson “Position Description”
is found to have identical security issue but with different recommendations. It was recognised as a newly added aspect of the FISCAM in both GST instances, which indicates this lesson is probably a necessary aspect that is not covered by the security guideline. There are also some extra lessons found in this incident, which are “Access Control”, “Security Policy”, “Risk Analysis” and “Management Structure”. The same type of security incident, information data leakage incident, can have different causal issues behind it. As we could see, the use of the GST facilitates the comparison of similar incidents from organisations that apply the same security guidelines/standards.
4.3 Shenzhen data leakage incident 2008
4.3.1 Case description
In 2008, the healthcare information of pregnant women was disclosed from the hos- pital of Shenzhen, China. The criminals obtained up to 40, 000 items of medical information including the pregnant women’s name, baby’s birth date, home address, mobiles, etc. This information was updated monthly, adding up to 100, 000 items in total. The information was sold to businesses who were aiming to seize the market immediately after the new babies were born. These companies used the stolen data to push their sales such as first milk, baby sitter service, pregnant women fitness service, etc. through phone calls or messages. People were affected and felt offended by such
4.3. SHENZHEN DATA LEAKAGE INCIDENT 2008 59
AC: User access control is addressed.
Healthcare System (HS) is acceptably Secure. SM: Security management is controlled. SM 1: Security management program is established. Position Description: Re-evaluate and correct position sensitivity levels. Risk Analysis: Develop and issue Government-wide risk analysis criteria.
SM1.2: A security management structure has been established. Management Structure: Establish an accurate functional description and performance plan to clarify the line authority and reporting relationship.
SM 3: Security control policies and procedures are documented and implemented. SM3.1: Security control policies and procedures are documented, approved by management and implemented.
AC3: Effective authorisation controls are implemented. AC3.1: User accounts are appropriately controlled. Access Control: Avoid the abuse of programmer level access control.
AC4: Sensitive system resources are adequately protected. AC4.1: Access to sensitive system resources is restricted and monitored. Sensitive Information: se encryption, or other effective tool, to protect personally identifiable information stored on removable storage.
Argument over FISCAM
Healthcare System of VA Federal Information Security Controls Audit Manual AC5: An effective audit and monitoring capabilities is implemented . AC 5.3. Incidents are properly analysed and appropriate actions taken. AC 5.3.3. Appropriate disciplinary actions are taken.
SM 3.1.1. Security control policies and procedures at all levels are are documented, address purpose, scope, roles, responsibilities, and compliance. Administrative Action: Take appropriate administrative action against the people involved in this incident for their inappropriate actions.
Security Policy: (1) Ensure that data security plans for research projects comply with information security policies; (2) Ensure human subjects in research, compliance with information security requirements; (3) Discontinue storing email on unauthorised system.
Argument over All Missing Security Recommendations. (Standard non-existent):
Figure 4.2: Instance of the Generic Security Template - VA 2007 data leakage incident
4.3. SHENZHEN DATA LEAKAGE INCIDENT 2008 60
behaviours. The victims believed the data came from the profiles (names, mobiles, ad- dress, estimated birth date, etc.) they provided for registration in the hospital. Anyone accessible to the information can be suspicious in disclosing it to others and people are increasingly concerned about the security of healthcare system. Hospitals had just started the use of healthcare information system (HIS) in China. The managers were focusing more on its business functionalities rather than system security [16].
4.3.2 Instance of the Generic Security Template
Step 1: Prepare the goal structure.
As we are moving to healthcare organisation in China, the security standard we used is Information security technology - Baseline for classified protection of informa- tion system (GB/T22239). As mentioned in Chapter 2, it is required by the Ministry of Health of the People’s Republic of China. The health information systems and its re- lated units should be self-examined in accordance with GB/T22239. In particular, the tertiary (highest level) hospital needs to achieve at least the third level of the security standard.
Step 2: Identify the lessons learned.
Similar to VA 2006 and VA 2007 data leakage incident, the process of identifica- tion of the lessons learned (security issues and recommendations) is by looking for the learning points in the security incident report. The identified security issues and recommendations can be found in Table 4.3.
Table 4.3: Shenzhen data leakage incident 2008
Security Issues Security Recommendations
Network Security Network security needs to be ensured by following the security standards.
Sensitive Information Define the information sensitive level according to the security standards.
Security Policy Establish and enforce security policy according to the security standards.
Security Audit Establish and conduct security audit plan according to the security standards.