Professional Documents
Culture Documents
Huge CHS Data Hack Puts Hospitals On High Alert
Huge CHS Data Hack Puts Hospitals On High Alert
afflicted open-source encryption software. But the Heartbleed vector was not
confirmed by CHS or Mandiant.
Hospitals have faced a spike this year in hacking activity, said Michael McMillan,
CEO of security consulting firm CynergisTek. Such activity hasn't been publicly
disclosed because the hacks were stopped before data were compromised, he said.
"I know at least a half a dozen or so hacks against hospitals we work with where
the data wasn't transferred, but it still caused a lot of disruption," he said. Hospitals
are "going to become a bigger and bigger target as the hacking community figures
out it's easier to hack a hospital than it is to hack a bank and you get the same
information."
The CHS attack may be a harbinger of healthcare industry hacks, experts said.
"This appears to be a crime of opportunity in which attackers penetrate a system
for one type of information, such as IP, but in the process find they also have
access to highly marketable (personally identifiable information)," said Stephen
Cobb, a senior researcher with IT security firm ESET North America.
"That's the worst hack I've ever heard about," said Pam Dixon, executive director
of the World Privacy Forum, a not-for-profit advocacy group. "They can create
new credit cards with these identities and won't get dinged, and they can go
commit crimes with those identities."
McMillan said an advanced persistent threat, as cited by CHS, "is a particular
malware that never seems to go away... Depending on who released it and
whatever its payload might be, it's looking for vulnerable systems."
The awareness level of cybercrime--already high among healthcare security
leaders--jumped last week with news of the CHS breach, said Lee Kim, director of
privacy and security for the Healthcare Information and Management Systems
Society. It has "gotten everyone's attention," she said.
Still, a HIMSS survey released in February found that half of the 283 health IT
and security professionals in hospitals and physician practices who responded to
the survey reported their organizations spent 3% or less of their overall IT budgets
on security. That's up slightly from previous surveys. But that's one-half to onefourth as much as is spent by other industries where data security is critical,
McMillan said.
Healthcare leaders need to make larger investments in resources and personnel,
focus on the most immediate security threats and identify where they need to
outsource security work, he argued. And it's critical for organizations to educate
their workforce. "If you look at most of the hacks we're having in the industry
today, it's because someone in the workforce made a mistake, opened an e-mail
and responded to a phishing exploit."
--Beth Kutscher contributed to this article.
MH TAKEAWAYS The CHS attack may be a harbinger of healthcare hacks in
which attackers penetrate a system looking for one type of information, such as
intellectual property, but in the process find valuable personal data that can be sold
on the black market.