By Mac McMillan and David Holtzman
On August 19th we awoke to the news from Community Health System (CHS) the health records of 4.5 million individuals were disclosed when a cyber criminal was able to penetrate their information system. CynergisTek believes that healthcare organizations should use the CHS breach as a call for action on steps to prevent a similar event from occurring elsewhere.
First, an update on the developments that we have been able to corroborate. Federal investigators determined that the hackers gained access to the information system by taking advantage of a misconfigured Juniper router that had not been reconfigured with the software update to safeguard against the threat of the malware known as HeartBleed. The hackers penetrated the CHS system though the exploit created by the HeartBleed virus. Once access controls were compromised, other tools were introduced to exploit the CHS environment and steal the personal information of millions maintained in the information systems.
Investigators have traced the attack to the APT18 group which is “believed” to have ties to the Chinese government and who have been involved in other high profile attacks working for China. While APT18 and the Chinese are usually targeting intellectual property, what was stolen specifically were names, addresses, dates of birth, telephone numbers and social security numbers, all useful for identity theft purposes and valuable on the Black Market. The Rand Corporation just published a very informative study on the behavior of these criminal market places “Markets for Cyber Crime Tools and Stolen Data: Hacker’s Bazar”.
The information we have learned about this incident has lead us to the opinion that CHS had very poor security controls and was not monitoring what was happening in their environment. Keep in mind that CHS has not commented with specific information concerning the breach beyond acknowledging the incident as would be required by the HITECH Breach Notification Rule. Reliable sources of information to this point have been Federal agencies seeking to raise awareness of the critical threat to information systems posed by APT18 and Mandiant, a vendor of information security technology.
Even at this early stage of the investigation and without CHS’ transparency, all of us can take valuable lessons from this breach. First, healthcare organizations that are expanding through acquisition should look very closely at the information systems being acquired as part of the due diligence in the M & A process to make sure their security meets your standard. Second, HeartBleed may be gone from the headlines, but any system using SSL needs to be checked and fixed when using the vulnerable variant. Third both inbound and outbound traffic should be monitored and analyzed. Fourth, log information cannot just be simply collected; it needs to be reviewed. Lastly, nothing can substitute for a thorough enterprise-wide information system risk assessment.