Health Information Trust Alliance had a public web server compromised by an SQL injection on Monday, exposing some test data

HITRUST SQL Injection Exposes 111 Records, Test Data

1 comment

The Health Information Trust Alliance had a public web server compromised by an SQL injection on Monday, exposing some test data.

Hacker group Team Berserk claimed responsibility for the attack, publishing 111 records, including some real names, companies, addresses, phone numbers and email addresses, as well as six encrypted passwords. The test database was populated with information from rosters previously made public from planning meetings held in 2008, HITRUST says.

HITRUST called the breach non-critical since the affected server didn’t store any personal health or other sensitive information, but any security compromise to an organization responsible for data security best practices for healthcare organizations should be regarded as serious. Security is so important to healthcare providers that it is usually the main consideration when deciding which hosting or cloud provider to go with. 

“We sincerely regret any inconvenience this has created and take data security very seriously. It is our mission to protect information and do so in a manner that is appropriate and practical given the risks. We had not deemed this particular web server and test data to require higher assurances,” HITRUST said in a statement. “We have updated our policies both to non-critical, non-sensitive web servers and our test environments and will secure our test environments and public general information websites to a higher assurance level. The server in question has been addressed and test information deleted. None of our other servers or data centers were involved in this event.”

HITRUST says it maintains its operations in compliance with the Common Security Frameworks and uses CSF Certified environments. Last year, FireHost announced that it had reached CSF-certified status from HITRUST. FireHost said it secured this status based on its commitment to securing clients’ electronic personal health information from cyberattacks.

Do you have HITRUST CSF certification? Do you think this attack damages HITRUST’s reputation? Let us know in a comment.

Add Your Comments

  • (will not be published)

One Comment

  1. Jonathan Taylor

    The recent incident of HITRUST being hacked, in my opinion, is not a surprise. HITRUST is a likely target because of its mission to improve security in a critical industry sector - healthcare - and because it maintains highly sensitive information. The bigger take away is that this event illustrates the value of a risk-based security approach. HITRUST says they evaluated the risk to this particular asset and assigned a low level security policy requirement based on the fact that the web server is non-critical and that the test data was already publicly availability information. On the other hand, HITRUST says its high value assets were assigned to a higher assurance level and were not touched. This is the kind of risk trade-off CISOs have to make every day: there will never be enough money to secure everything so you have to allocate your resources and secure the assets that are the highest risk to the business. One could argue that HITRUST should have assigned a higher security policy level to this server, not because the data was sensitive, but purely to mitigate reputational and other intangible risk factors. Based on the negative press it appears they are reconsidering this. This is how a risk-based security model is supposed to work. And this is how the CSF works, which requires a data classification and appropriate safeguards to protect data based on the healthcare-specific regulations, best practices and risk factors. This is the real merit of the CSF Certification.