Huge CHS data hack puts hospitals on high alert

Author: Conn, Joseph

ProQuest document link
Abstract:
An outside group of hackers targeted Franklin, Tenn.-based Community Health
Systems's computer network and stole nonmedical data on 4.5 million patients, the
company disclosed last week in a regulatory filing. CHS, which has 206 hospitals
in 29 states, said in the filing that a group originating in China used sophisticated
malware and technology in the criminal attack and represents an advanced
persistent threat. It said these hackers typically search for intellectual property on
medical devices and other equipment, but instead stole personal data on patients
who had sought care from its physician practices. CHS said it is working with
Mandiant, an information security company, to investigate the breach and help
prevent future attacks. The health system has removed the malware from its
network and finalized remediation efforts. Hospitals have faced a spike this year in
hacking activity, said Michael McMillan, CEO of security consulting firm
CynergisTek. The CHS attack may be a harbinger of healthcare industry hacks,
experts said.
Full text:
The lesson for healthcare executives from the news last week that Community
Health Systems suffered the worst electronic records hack in healthcare privacy
history is that constant vigilance--and lots more money--are needed to keep the
same type of catastrophic breach from happening to their organizations.
An outside group of hackers targeted the Franklin, Tenn.-based hospital chain's
computer network and stole nonmedical data on 4.5 million patients, the company
disclosed last week in a regulatory filing.
CHS, which has 206 hospitals in 29 states, said in the filing that a group
originating in China used sophisticated malware and technology in the criminal
attack and represents an "advanced persistent threat." It said these hackers
typically search for intellectual property on medical devices and other equipment,
but instead stole personal data on patients who had sought care from its physician
practices.
The data included names, addresses, birthdates, telephone numbers and Social
Security numbers--all of which are protected under the Health Insurance
Portability and Accountability Act--and are valuable to identity thieves. The CHS
data breach, if posted to the "wall of shame" website where major healthcarerecord breaches are kept on public display by the Office for Civil Rights at HHS,
will be larger than all but one of the 1,083 breaches posted until now, and larger
than all 76 incidents attributed to hacking.
CHS said it is working with Mandiant, an information security company, to
investigate the breach and help prevent future attacks. The health system has
removed the malware from its network and finalized remediation efforts. Federal
law enforcement agents also are investigating the incident, which CHS discovered
last month and which it believes occurred in April and June. The chain notified
affected patients and is offering them identity theft protection services. CHS said it
carries cyber and privacy liability insurance for this purpose.
An Ohio security firm, TrustedSec, claimed the breach was carried out using the
notorious Heartbleed Internet security vulnerability disclosed in April, which

afflicted open-source encryption software. But the Heartbleed vector was not
confirmed by CHS or Mandiant.
Hospitals have faced a spike this year in hacking activity, said Michael McMillan,
CEO of security consulting firm CynergisTek. Such activity hasn't been publicly
disclosed because the hacks were stopped before data were compromised, he said.
"I know at least a half a dozen or so hacks against hospitals we work with where
the data wasn't transferred, but it still caused a lot of disruption," he said. Hospitals
are "going to become a bigger and bigger target as the hacking community figures
out it's easier to hack a hospital than it is to hack a bank and you get the same
information."
The CHS attack may be a harbinger of healthcare industry hacks, experts said.
"This appears to be a crime of opportunity in which attackers penetrate a system
for one type of information, such as IP, but in the process find they also have
access to highly marketable (personally identifiable information)," said Stephen
Cobb, a senior researcher with IT security firm ESET North America.
"That's the worst hack I've ever heard about," said Pam Dixon, executive director
of the World Privacy Forum, a not-for-profit advocacy group. "They can create
new credit cards with these identities and won't get dinged, and they can go
commit crimes with those identities."
McMillan said an advanced persistent threat, as cited by CHS, "is a particular
malware that never seems to go away... Depending on who released it and
whatever its payload might be, it's looking for vulnerable systems."
The awareness level of cybercrime--already high among healthcare security
leaders--jumped last week with news of the CHS breach, said Lee Kim, director of
privacy and security for the Healthcare Information and Management Systems
Society. It has "gotten everyone's attention," she said.
Still, a HIMSS survey released in February found that half of the 283 health IT
and security professionals in hospitals and physician practices who responded to
the survey reported their organizations spent 3% or less of their overall IT budgets
on security. That's up slightly from previous surveys. But that's one-half to onefourth as much as is spent by other industries where data security is critical,
McMillan said.
Healthcare leaders need to make larger investments in resources and personnel,
focus on the most immediate security threats and identify where they need to
outsource security work, he argued. And it's critical for organizations to educate
their workforce. "If you look at most of the hacks we're having in the industry
today, it's because someone in the workforce made a mistake, opened an e-mail
and responded to a phishing exploit."
--Beth Kutscher contributed to this article.
MH TAKEAWAYS The CHS attack may be a harbinger of healthcare hacks in
which attackers penetrate a system looking for one type of information, such as
intellectual property, but in the process find valuable personal data that can be sold
on the black market.