Huge CHS data hack puts hospitals on high alert
The lesson for healthcare executives from the news last week that Community Health Systems suffered the worst electronic records hack in healthcare privacy history is that constant vigilance—and lots more money—are needed to keep the same type of catastrophic breach from happening to their organizations.
An outside group of hackers targeted the Franklin, Tenn.-based hospital chain’s computer network and stole nonmedical data on 4.5 million patients, the company disclosed last week in a regulatory filing.
CHS, which has 206 hospitals in 29 states, said in the filing that a group originating in China used sophisticated malware and technology in the criminal attack and represents an “advanced persistent threat.” It said these hackers typically search for intellectual property on medical devices and other equipment, but instead stole personal data on patients who had sought care from its physician practices.
The data included names, addresses, birthdates, telephone numbers and Social Security numbers—all of which are protected under the Health Insurance Portability and Accountability Act—and are valuable to identity thieves. The CHS data breach, if posted to the “wall of shame” website where major healthcare-record breaches are kept on public display by the Office for Civil Rights at HHS, will be larger than all but one of the 1,083 breaches posted until now, and larger than all 76 incidents attributed to hacking.
CHS said it is working with Mandiant, an information security company, to investigate the breach and help prevent future attacks. The health system has removed the malware from its network and finalized remediation efforts. Federal law enforcement agents also are investigat- ing the incident, which CHS discovered last month and which it believes occurred in April and June. The chain notified affected patients and is offering them identity theft protection services. CHS said it carries cyber and privacy liability insurance for this purpose.
An Ohio security firm, TrustedSec, claimed the breach was carried out using the notorious Heartbleed Internet security vulnerability disclosed in April, which afflicted open-source encryption software. But the Heartbleed vector was not confirmed by CHS or Mandiant.
Hospitals have faced a spike this year in hacking activity, said Michael McMillan, CEO of security consulting firm CynergisTek. Such activity hasn’t been publicly disclosed because the hacks were stopped before data were compromised, he said. “I know at least a half a dozen or so hacks against hospitals we work with where the data wasn’t transferred, but it still caused a lot of disruption,” he said. Hospitals are “going to become a bigger and bigger target as the hacking community figures out it’s easier to hack a hospital than it is to hack a bank and you get the same information.”
The CHS attack may be a harbinger of healthcare industry hacks, experts said. “This appears to be a crime of opportunity in which attackers penetrate a system for one type of information, such as IP, but in the process find they also have access to highly marketable (personally identifiable information),” said Stephen Cobb, a senior researcher with IT security firm ESET North America.
“That’s the worst hack I’ve ever heard about,” said Pam Dixon, executive director of the World Privacy Forum, a not-for-profit advocacy group. “They can create new credit cards with these identities and won’t get dinged, and they can go commit crimes with those identities.”
McMillan said an advanced persistent threat, as cited by CHS, “is a particular malware that never seems to go away… Depending on who released it and whatever its payload might be, it’s looking for vulnerable systems.” The awareness level of cybercrime— already high among healthcare security leaders—jumped last week with news of the CHS breach, said Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society. It has “gotten everyone’s attention,” she said.
Still, a HIMSS survey released in February found that half of the 283 health IT and security professionals in hospitals and physician practices who responded to the survey reported their organizations spent 3% or less of their overall IT budgets on security. That’s up slightly from previous surveys. But that’s one-half to one-fourth as much as is spent by other industries where data security is critical, McMillan said.
Healthcare leaders need to make larger investments in resources and personnel, focus on the most immediate security threats and identify where they need to outsource security work, he argued. And it’s critical for organizations to educate their workforce. “If you look at most of the hacks we’re having in the industry today, it’s because someone in the workforce made a mistake, opened an e-mail and responded to a phishing exploit.”
The Heartbleed Bug may be to blame for CHS’ patient data hack.