The news this week that hackers from China compromised 4.5 million customer records held by Community Health Systems is just the latest indication that companies are not adequately protecting the information of the consumers they serve.
According to media reports, Chinese hackers were still stealing records in June, even though the Heartbleed bug that gave them a way in had been reported in April. Unfortunately, this was exactly the kind of event Coalfire predicted earlier this year, when Heartbleed was first uncovered:
Before we declare an “all clear,” we have to do the hard work. Each manufacturer must clearly identify where OpenSSL introduced issues and every service provider must check those systems for the vulnerability …
Once the extent of the risk is clearly identified, the cleanup could take months or longer … Enjoy these first few relatively silent days where we don’t hear reports of exploits, but do the right thing and chase this vulnerability to the ground.
The worse news is that the Heartbleed impact is not over. Good reconnaissance can be used to conduct future attacks. A skilled hacker only needs one credential to escalate an attack and “own” the target.
Healthcare data breaches are especially impactful. Individuals who have their medical IDs stolen have later problems, as fraudsters who file claims in their names can contaminate medical records and cause future issues with insurance coverage.
However, the Chinese hacking machine is in the business of national security and industrial theft. They certainly can sell confidential data to cyber criminals from other regions to exploit personal data for more pedestrian-level fraud, but they’re after bigger targets.
The confidentiality breach is only a step on the path to the intellectual property they covet, such as understanding the efficacy of certain drugs and treatments. With this kind of personal data, they can better understand how to make investments in counterfeit drugs.
The potentially devastating impact of a breach like this is still not fully understood. When we see Pfizer write down a $3 billion investment in a drug development program for unfair international competition or if we see wide-scale personal data used in fraud, we will be able to write the impact up to a higher level. The key is that the dragon is at the door step…with a key.
It’s time for companies to step up their game to protect their consumers. And it’s time for consumers to demand that companies protect the information they’ve shared. But to start a path to safe health records, we need a secure health record application standard. Organizations like HITRUST – and their board members – are making a difference, but need more participants.
Small healthcare organizations also need to rethink their entire security architectures. We have reached a point where the attacks have become so sophisticated, they‘ve outstripped the defensive capabilities of all but the most serious experts. Secure cloud-based health record systems are almost certainly a better bet than statically-defended local storage.
Coalfire has worked with thousands of organizations to help them protect their sensitive information. If you’re looking for an honest partner to help move from compliance to cybersecurity and true risk management, give us a call.