See our previous post, ISOS Data Breach and Loss of Patient Information Waiting to Happen.
Knowing that International SOS (ISOS) does not respond to many inquiries posed to them we passed on the security issues with the ISOS webpage to the Defense Health Agency (DHA). The hope was they would take the lack of security seriously and direct their contractor fix the issues.
After our initial discovery of the security issues we ran some tests against the website using Qualys SSL Labs. If you want to learn more about these kinds of security issues or run the test yourself go to the link. The site runs a large number of tests and simulated activity against the website and provides a report. The report carries an overall grade from A+ to F along with detailed information on the findings and basis for the grade.
Our initial test of the ISOS Claims log-in site resulted in a grade of F. See results. We sent this along in a supplemental email to DHA.
Our hope was that we would get an acknowledgement of the problem and an indication it was fixed or would be fixed. Instead, on 16 June 2015 we received the following:
“Thank you for sharing your security concerns with the Defense Health Agency. I want to assure you we take cyber security and the security of our beneficiaries’ personal information very seriously, as does International SOS. The DHA, International SOS and WPS proactively identify and remediate new vulnerability threats on a regular basis. Using the National Institute of Standards and Technology (NIST) standards (a requirement of all TRICARE contracts regardless of geographic area covered) and the NIST validated vulnerability scanner, International SOS and WPS monitor all sites. Additionally there are a number of other scans and controls in place to ensure the security and privacy of the beneficiary information. Specific scans and controls are not shared with the general public for obvious reasons.”
No acknowledgement that there was a problem or that it had been or would be fixed.
So we again ran the above test and were rewarded for our efforts with another grade of F.
Yesterday, as were preparing to publish the post, we ran it once again. The result this time came back with a grade of C. See results. While they still failed to correct the issue with the obsolete TLS 1.0 they did correct the hole that allowed “Poodle (TLS)” attacks. A review of the detailed results, however, continue to show numerous areas of weakness.
Just for kicks we decided to run the same security test on a couple of other sites to see what results we would find. Most of you may know that recently OPM admitted that they had a significant loss of data when their websites were hacked. We decided to run the test against the login page for OPM retirees. We received a grade of B. See results. If this was the level of security when they were breached it doesn’t bode well for our claims and personal data on ISOS’s webpage with a grade of C. If this is the grade they received after correcting their security issues it still doesn’t bode well for our data nor the OPM data.
As an additional test we again ran the test against our bank site, USAA. The results came back for two sites used when authentication occurs. Both sites garnered an A+. See results. Note the result list is short since there were no shortcomings noted. This is the kind of security we expected from DHA, based on their “pat me on the back” response above.
Are they going to continue to fix the numerous weaknesses or have they finished? We don’t know and the “pat me on the back” response we received from DHA leaves us clueless and obviously was intentional. Only time and constant checks will reveal if they actually bring the website up to the high standard we should be able to expect and which DHA claims are maintained through constant monitoring; except of course for our claims data which apparently the constant monitoring failed to detect.
If you want to find out the real story behind DHA’s focused attack on TRICARE beneficiaries in the Philippines instead of their spin and propaganda, read TRICARE: Betrayal in the Philippines, Is This the Future of TRICARE Overseas? It is available at the link and most online book sales outlets such as iBooks, Barnes & Noble, Amazon and others.
Never forget the Defense Health Agency and International SOS always have your back when it comes to high quality and easy access to care; just ask them!