Security Culture

The ideas, customs, and social behavior of a particular people or society
that allows them to be free from danger or threats.

Sensitive medical data exposed to Internet

Daniel Andersson

Information Security Advisor and Consultant at CAPSAB
Daniel is a senior security manager in the banking and card industry; he has worked with PCI DSS since 2005. Daniel has a broad experience regarding implementation of PCI DSS.

Daniel also has an IT engineering background working with a broad selection of platforms and communication equipment.

Daniel is ISACA Certified Information Security Manager (CISM) and PCI Professional (PCIP) and certified Security Culture Practitioner.

In Sweden there is an ongoing reveal of a security incident related to the medical services that 1177.se delivers. 1177 is a joint effort amongst the public sector in Sweden to provide health care advise via Internet and phone also acting as a portal to other health care services that is online.

All phone calls are routed to different private companies, some located in Sweden and some abroad, this incident is related to a company that is sub-contracted by such company to deliver these services.

This sub-contracted company has contracted another company to manage all their voice services including call recording. The recording themselves includes often SSN, medical issues both current and past, all considered sensitive data both before GDPR and currently under GDPR.

The company providing the voice services, Voice Integrate Nordic, has during the past days shared a lot of information about the incident in the media, which is the information that I will use to make the below analysis of the Incident from a security culture standpoint.

The CEO of Voice Integrate Nordic, Tommy Ekström, has said that the incident is due to a human error, which may be a correct analysis if only looking at this single incident, when looking at the whole picture and the answers Tommy Ekström do give in media it is clear that this is not due to a single human error but more related to the companies security culture, or in this case as it seems a lack of security culture.

The main incident is that a Network Attached Storage (NAS) devices has been connected directly to Internet without any authentication, on this NAS recordings of at least 2,7 million recorded phone calls to the medical services of 1177 has been available to download without any protection to Internet.

CEO Tommy Ekström has explained this with an human error when an upgrade has been performed and an Internet cable accidently has been plugged into the NAS, at the same time Tommy has clearly stated that the company did not have any checks/checklists that ensured that the company had any security measures in place to identify if equipment was connected directly to internet.

When investigating this a bit further the Internet of Voice Integrated Nordic is managed by themselves with several ISPs connected, which clearly indicates that there are more to this than is told in media. If the only part was that the NAS would have been accidently connected with the wrong cable it would not been able to communicate with Internet as it is unlikely that they do run DHCP services on their external Internet segment, therefore the person that connected the device to Internet must have configured the device IP information to be able to communicate with Internet. If they do have DHCP services on the external Internet segment that would indicate another flaw in their security mindset.

Looking at other indications that this was not a human error is that the NAS do have a DNS entry which would have needed to be manually added to the DNS server in two different domains, this gives strong indications on that the Internet connection was part of the design.

DNS records showing that the NAS was registered in several domains.

As the NAS was connected to Internet it still did collect new recordings from the voice systems, this indicates that the setup was made to work with Internet still connected, either by using dual interfaces on the NAS or that the voice system was configured to use the Internet IP address to send the recordings to.

Looking more at the what Tommy Ekström has shared with the media it clearly shows that there is a big lack of security culture in the management team, which most likely is evident in the whole organization, the quotes are, in Swedish the original quote and English is my translation.

”It hadn’t done anything if you didn’t know that the server had this problem, but Computer Sweden did find this”. (“Det hade inte gjort något om man inte kände till att servern hade det här problemet, men det fick Computer Sweden reda på.”)

Above is showing their full lack of security culture, having the belief that a security weakness is no issue if it is not known by anyone shows that the firm does not have a clue about information security. All security weaknesses will soon or later be found, and in this case, it may well have been found long before the journalists at Computer Sweden got hold of the story.

“If you have an advanced technology then it is impossible to protect yourself against everything.” (“har man en avancerad teknologi så är det omöjligt att skydda sig mot allt.”)

I do agree that it may be impossible to cover all aspects of security, but in this case it is not advance technology, it is a simple NAS server that is connected to a public network segment. If they had good vulnerability management procedures in place they would have run vulnerability scans towards their whole external Internet segment and found this NAS. Or more simply implement segregation of duties so it would have been needed at least two persons to perform this task, one responsible for network configuration changes and one for the NAS changes. One could also argue that a more strict change management would have solved this, in this case I am not really sure of that due to the lack of security insights that the company seems to have so even if this was not an approved change I am not sure if it would have been stopped in a formal change request.

Tommy Ekström also ensures in a statement that is was hard for normal persons to access the data, he says ”Ordinary people did not do it, but those who can do this could do some kind of special command movement and slip into the back door.” (“Vanliga personer klarade inte av det, men de som kan sådant här kunde göra något slags speciell kommandorörelse och slinka in bakvägen.”).

The special commands he refers to is that one would need to open a web browser and enter type the address http://nas.applion.se:443/ which in my world is something that almost anyone that uses a computer are able to perform.  

Voice Integrate Nordic have themselves investigated the incident and come to the conclusion that there are only 55 files downloaded due to this incident, this is something that may be argued if it is true as NAS have had several vulnerabilities, was not properly monitored and an intrude may have been able to delete logfiles on the server, nor has Voice Integrate Nordic stated as for how long they store logfiles for the download, they may be rotated automatically within a certain timeframe loosing the ability to track all downloads. Ekström also states “We have people who are incredibly good at this.” (“Vi har folk som är otroligt duktiga på detta.”), when describing why they do their own investigation instead of hiring external experts for this, Ekström do state that it may be that they consult external experts but that is not certain.

With all above in mind it is clear that the Voice Integrate Nordic do need to start a security culture program, starting at top management level and drill down in the organization working amongst all topics, all in parallel with implementing better technical controls to find these vulnerabilities in an early stage.

As for the responsibilities according to GDPR and medical laws it will be interesting to follow the official investigations to understand who is responsible, as there are a lot of involved entities. From a customer viewpoint I have a relation with 1177 which is owned brand of Inera AB, and they do this service for the county’s in Sweden, it is the county´s that has been contracting the private companies to give medical advice via phone. So from a GDPR standpoint what responsibility do each part have?

Quotes and information collected from IDG and DN

https://computersweden.idg.se/2.2683/1.714787/inspelade-samtal-1177-vardguiden-oskyddade-internet

https://www.dn.se/ekonomi/ansvarig-for-vardguiden-haveriet-manskliga-faktorn/