A group of hackers presumably located in China managed to breach Community Health Systems, one of the largest hospital operators in the United States, and access the records of 4.5 million patients.
Community Health Systems and FireEye-owned Mandiant, the company called in to investigate the incident, haven’t provided any technical details on the attack, but security firm TrustedSec learned from people involved in the investigation that the initial attack vector was the OpenSSL vulnerability known as the Heartbleed bug.
Members of the security industry have been following the story and they make some interesting points. Their comments focus on the alleged involvement of a Chinese group, the need for efficient cybersecurity systems, and the financial and reputational impact of the breach. As expected, experts have once again highlighted that vulnerabilities as critical as Heartbleed should not be neglected, and noted that Community Health Systems is probably the first in many organizations to acknowledge a Heartbleed-related exploit.
And the Feedback Begins…
Tal Klein, VP of strategy and marketing for Adallom:
“First thing’s first: Forget about China. In some ways I would prefer the Chinese have the data than some kids who would use the information for identity theft and fraud. I really don’t understand the fascination we have for pointing fingers in China rather than shed a light on the underlying problems that make these breaches possible. Personally, my hope is that this real-life Heartbleed breach is the ‘wake up call’ that makes CISOs aware of the fragile defenses their organizations have today.
We need to aggressively start shifting resources away from prevention and build a defense strategy around assumed breach. The first step should be improving visibility and focusing on anomaly detection. When a breach occurs (and it will), strong monitoring capabilities could make the difference between days and months for breach detection, thus providing a critical line of defense.”
Rob Sadowski, Director of Technology Solutions, RSA:
“If the reports about this incident prove to be true, it reinforces the importance of having capabilities to conduct forensic analysis of network communication and affected devices to identify active exploitation of vulnerabilities like Heartbleed, as well as tools and capabilities to detect the attackers activity once they gained access to the network via this (or any other) exploit.
It also demonstrates how quickly attackers will exploit known, unpatched vulnerabilities and reinforces the need to quickly identify high-risk, high value assets that are affected by vulnerabilities that are actively being exploited so they can become the immediate focus of remediation efforts.
Going forward, this new knowledge of attackers and tactics not frequently known to target mass quantities of PHI / PII (personally identifiable information / protected health information) now have to be included and evaluated more strongly as part of healthcare providers’ risk assessments.”
Catalin Cosoi, Chief Security Strategist, Bitdefender:
“According to a Security Expert quoted by Reuters, the cyber-attack against Community Health Systems was made possible by the Heartbleed vulnerability of the OpenSSL encryption software. This vulnerability allows an authorized attacker to read the RAM memory of the machine that has installed a vulnerable OpenSSL, including credentials, encryption keys and other sensitive information. When it took place, in April/May this year, the vulnerability was public knowledge, but not all systems were updated to the newest OpenSSL version.
It seems one of the vulnerable systems belonged to Community Health Systems, and it had internet access. That’s why the personal data of about 4.5 million patients were stolen. Community Health Systems has started to notify those impacted by the breach, but this alone will not protect them from identity theft. Of course, we know nothing about the new security measures implemented by Community Health Systems, but we hope they improve their security and will no longer store unencrypted personal data.”
JD Sherry, Trend Micro VP of technology and solutions:
“The organizations’ next steps should be to over communicate the details of this event and establish outreach programs immediately, including a security incident web site to help manage incident response communications. Further investment in cyber security and IT will also be a top priority for CHS.
The stolen data in question is extremely sensitive and includes Social Security Numbers coupled with date of birth and address information. There is no indication that this data was encrypted, which creates further challenges for the organization and the patients impacted.
The recent SEC filing by CHS that revealed this problem is a clear indication that this incident can and most likely will materially impact the organization. It appears that CHS has invested in cyber security insurance, which should offset some of the associated costs of this breach. However, the bigger financial impact is the soft costs of losing patient trust and confidence in their services, which can be extremely difficult to recover from.
Healthcare organizations can’t seem to get a reprieve from the ongoing intrusions on their networks. More than any other industry, the healthcare sector has fallen victim to the largest number of breaches thus far in 2014. The CHS breach is yet another example of the challenges this industry faces as it attempts to push forward with eHealth initiatives, while being good stewards of this sensitive data.”
Jody Brazil, CEO of FireMon:
“This attack exposes the critical nature of access control policies. As much as we talk about the ‘eroding permitter’, it still exists and the consequences of a breach of that perimeter can be severe. Similar to the discussion around Target, 2-factor authentication should be used for remote access or access to critical resources.
The Heartbleed vulnerability exposed static passwords that permit an attacker to use an authorized user’s credentials to gain access to the network. Two-factor authentication with single-use passwords would limit this attack vector. Additionally network segmentation beyond ‘internal’ will further limit impact to this kind of exploit.”
Tom Bain, Vice President, Global Marketing & Security Strategy, CounterTrack:
“It’s not about the data – it’s about the money.
This breach is in fact interesting, given that the same attackers have been attributed to pilfering trade secrets within the healthcare industry in successfully executed hacks previously. It looks like by all accounts, the attackers used some targeted malware to break into HCS systems to steal patient data and not exactly IP that ultimately may get sold to China.
However interesting this breach seems, and despite the fact that it looks like over 4.5M patient records were exploited and stolen, patient records aren’t really the most coveted types of records. Typically the records that hackers want are those that they can monetize. That’s not to say that stolen patient records can’t be sold – but the reality is that with everything that everyone shares today anyway, if their medical records get out to a public location, it might not be ideal, but it likely won’t have the same, immediate impact that your debit card being breached would have.
What this breach demonstrates very clearly is that there is a critical need for forensic-level analysis of attacks of all kinds – malware, APTs and targeted campaigns – so that organizations can counter attacks in real-time to mitigate the damage caused and the time that attackers spend inside those systems. A post-breach forensics investigation, while helpful long-term, is really an antiquated process. I would not even call that security – I would call that an audit of a breach due to lack of real-time visibility on my endpoints and applications. It’s necessary, but it doesn’t help you as you are being attacked.”
Eric Chiu, president & co-founder of HyTrust:
“The most recent breach at Community Health is a new wake-up call that cyber attacks are the ‘new norm’– whether from organized criminal groups or nation-state sponsored organizations. The fact that 4.5MM patient records were stolen is alarming. This type of data is generally stored on servers in the core of a data center that would require ‘insider’ (employee) access.
It would typically be stolen using employee credentials, which can also mean an outside attacker accessing the organization’s network. In addition, it’s likely that this data was stolen over days or even weeks or months without being detected, which would also indicate that the attack leveraged or came from the inside. Bottom line: Organizations must do more to proactively address the security of critical systems and data— especially as cyber attacks continue to occur daily.”
Jerome Segura, senior security researcher at Malwarebytes Labs:
“While the number of records is astonishing and makes it one of the largest breaches in the medical field, it may not have been the perpetrators’ actual goal. If the group behind this was one of the suspected hacking unit from China, their motive generally is the theft of intellectual property. Indeed industrial espionage (or medical espionage for that matter) has been a growing and active threat for which most corporations aren’t quite prepared against.
Highly motivated groups are creating custom attacks designed to circumvent traditional security software and often rely on social engineering as part of their process in infiltrating valuable targets. Attackers are able to maintain their cover for long periods while observing activity within the networks they have compromised.
Overall, the medical sector is not as well protected against such attacks as other sectors and often times firms will rely on their liability insurance to cover themselves instead of dedicating a budget for cyber security. This may work from a business standpoint in a typical risk versus cost scenario but it completely ignores the implications on individuals who may face the pain and worry of identity theft or privacy violations.”
Kevin Bocek, vice president, security strategy and threat intelligence, Venafi:
“Community Health Systems is likely the first of many organizations to come forward and acknowledge a Heartbleed-related exploit. Organizations have been operating under a false sense of security that an OpenSSL patch would solve the problem. Unless fully remediated, Heartbleed leaves open doors for attackers to extract data, including credentials like passwords and encryption keys, which provide long-term visibility and access to the kinds data stolen from Community Health Systems. According to recent research, 97 percent of Global 2000 organizations’ public-facing servers remain vulnerable to cyber attacks due to incomplete Heartbleed remediation.
Insiders have acknowledged that the CHS breach occurred because these credentials were not replaced. Following Heartbleed’s discovery, experts from Bruce Schneier to Gartner warned that, to fully remediate Heartbleed, all SSL keys and certificates must be replaced. Enterprises must also assume, just as many did with user IDs and passwords, that all keys and certificates were compromised—not just the keys and certificates that secured the systems hosting the Heartbleed vulnerability—and must be revoked and replaced. Otherwise thousands of applications behind the firewall remain exposed.
IT Security teams are clearly under the false notion that they have remediated Heartbleed by applying a software patch. Yet if someone walks into your house through an open door and steals your house keys, you don’t then rely on the same locks once you’ve closed the door. Organizations must find and replace all of their keys and certificates—all of them. Otherwise massive security gaps and open doors remain and other businesses will fall prey to the same Heartbleed-style breaches that hit Community Health Systems.”
Until Next Friday…Have a Great Weekend!