Huge CHS data hack puts hos­pi­tals on high alert

Modern Healthcare - - NEWS - By Joseph Conn —Beth Kutscher con­trib­uted to this ar­ti­cle.

The les­son for health­care ex­ec­u­tives from the news last week that Com­mu­nity Health Sys­tems suf­fered the worst elec­tronic records hack in health­care pri­vacy his­tory is that con­stant vig­i­lance—and lots more money—are needed to keep the same type of cat­a­strophic breach from hap­pen­ing to their or­ga­ni­za­tions.

An out­side group of hack­ers tar­geted the Franklin, Tenn.-based hos­pi­tal chain’s com­puter net­work and stole non­med­i­cal data on 4.5 mil­lion pa­tients, the com­pany dis­closed last week in a reg­u­la­tory fil­ing.

CHS, which has 206 hos­pi­tals in 29 states, said in the fil­ing that a group orig­i­nat­ing in China used so­phis­ti­cated mal­ware and tech­nol­ogy in the crim­i­nal at­tack and rep­re­sents an “ad­vanced per­sis­tent threat.” It said th­ese hack­ers typ­i­cally search for in­tel­lec­tual prop­erty on med­i­cal de­vices and other equip­ment, but in­stead stole per­sonal data on pa­tients who had sought care from its physi­cian prac­tices.

The data in­cluded names, ad­dresses, birth­dates, tele­phone num­bers and So­cial Se­cu­rity num­bers—all of which are pro­tected un­der the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act—and are valu­able to iden­tity thieves. The CHS data breach, if posted to the “wall of shame” web­site where ma­jor health­care-record breaches are kept on public dis­play by the Of­fice for Civil Rights at HHS, will be larger than all but one of the 1,083 breaches posted un­til now, and larger than all 76 in­ci­dents at­trib­uted to hack­ing.

CHS said it is work­ing with Man­di­ant, an in­for­ma­tion se­cu­rity com­pany, to in­ves­ti­gate the breach and help pre­vent future at­tacks. The health sys­tem has re­moved the mal­ware from its net­work and fi­nal­ized remediation ef­forts. Fed­eral law en­force­ment agents also are in­ves­ti­gat- ing the in­ci­dent, which CHS dis­cov­ered last month and which it be­lieves oc­curred in April and June. The chain no­ti­fied af­fected pa­tients and is of­fer­ing them iden­tity theft pro­tec­tion ser­vices. CHS said it car­ries cy­ber and pri­vacy li­a­bil­ity in­sur­ance for this pur­pose.

An Ohio se­cu­rity firm, Trust­edSec, claimed the breach was car­ried out us­ing the no­to­ri­ous Heart­bleed In­ter­net se­cu­rity vul­ner­a­bil­ity dis­closed in April, which af­flicted open-source en­cryp­tion soft­ware. But the Heart­bleed vec­tor was not con­firmed by CHS or Man­di­ant.

Hos­pi­tals have faced a spike this year in hack­ing ac­tiv­ity, said Michael McMil­lan, CEO of se­cu­rity con­sult­ing firm Cyn­er­gisTek. Such ac­tiv­ity hasn’t been pub­licly dis­closed be­cause the hacks were stopped be­fore data were com­pro­mised, he said. “I know at least a half a dozen or so hacks against hos­pi­tals we work with where the data wasn’t trans­ferred, but it still caused a lot of dis­rup­tion,” he said. Hos­pi­tals are “go­ing to be­come a big­ger and big­ger tar­get as the hack­ing com­mu­nity fig­ures out it’s eas­ier to hack a hos­pi­tal than it is to hack a bank and you get the same in­for­ma­tion.”

The CHS at­tack may be a har­bin­ger of health­care in­dus­try hacks, ex­perts said. “This ap­pears to be a crime of op­por­tu­nity in which at­tack­ers pen­e­trate a sys­tem for one type of in­for­ma­tion, such as IP, but in the process find they also have ac­cess to highly mar­ketable (per­son­ally iden­ti­fi­able in­for­ma­tion),” said Stephen Cobb, a se­nior re­searcher with IT se­cu­rity firm ESET North Amer­ica.

“That’s the worst hack I’ve ever heard about,” said Pam Dixon, ex­ec­u­tive direc­tor of the World Pri­vacy Forum, a not-for-profit ad­vo­cacy group. “They can cre­ate new credit cards with th­ese iden­ti­ties and won’t get dinged, and they can go com­mit crimes with those iden­ti­ties.”

McMil­lan said an ad­vanced per­sis­tent threat, as cited by CHS, “is a par­tic­u­lar mal­ware that never seems to go away… De­pend­ing on who re­leased it and what­ever its pay­load might be, it’s look­ing for vul­ner­a­ble sys­tems.” The aware­ness level of cy­ber­crime— al­ready high among health­care se­cu­rity lead­ers—jumped last week with news of the CHS breach, said Lee Kim, direc­tor of pri­vacy and se­cu­rity for the Health­care In­for­ma­tion and Man­age­ment Sys­tems So­ci­ety. It has “got­ten ev­ery­one’s at­ten­tion,” she said.

Still, a HIMSS sur­vey re­leased in Fe­bru­ary found that half of the 283 health IT and se­cu­rity pro­fes­sion­als in hos­pi­tals and physi­cian prac­tices who re­sponded to the sur­vey re­ported their or­ga­ni­za­tions spent 3% or less of their over­all IT bud­gets on se­cu­rity. That’s up slightly from pre­vi­ous sur­veys. But that’s one-half to one-fourth as much as is spent by other in­dus­tries where data se­cu­rity is crit­i­cal, McMil­lan said.

Health­care lead­ers need to make larger in­vest­ments in re­sources and per­son­nel, fo­cus on the most im­me­di­ate se­cu­rity threats and iden­tify where they need to outsource se­cu­rity work, he ar­gued. And it’s crit­i­cal for or­ga­ni­za­tions to ed­u­cate their work­force. “If you look at most of the hacks we’re having in the in­dus­try to­day, it’s be­cause some­one in the work­force made a mis­take, opened an e-mail and re­sponded to a phish­ing ex­ploit.”

The Heart­bleed Bug may be to blame for CHS’ pa­tient data hack.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.