Heartbleed Aftershocks: Community Health Systems Breach, 4.5 Million Records Lost

August 22, 2014, Rick Dakin, CEO, Co-founder and Chief Security Strategist

The news this week that hackers from China compromised 4.5 million customer records held by Community Health Systems is just the latest indication that companies are not adequately protecting the information of the consumers they serve.

According to media reports, Chinese hackers were still stealing records in June, even though the Heartbleed bug that gave them a way in had been reported in April.  Unfortunately, this was exactly the kind of event Coalfire predicted earlier this year, when Heartbleed was first uncovered:

Before we declare an “all clear,” we have to do the hard work. Each manufacturer must clearly identify where OpenSSL introduced issues and every service provider must check those systems for the vulnerability …

Once the extent of the risk is clearly identified, the cleanup could take months or longer … Enjoy these first few relatively silent days where we don’t hear reports of exploits, but do the right thing and chase this vulnerability to the ground.

The worse news is that the Heartbleed impact is not over. Good reconnaissance can be used to conduct future attacks. A skilled hacker only needs one credential to escalate an attack and “own” the target.

Healthcare data breaches are especially impactful. Individuals who have their medical IDs stolen have later problems, as fraudsters who file claims in their names can contaminate medical records and cause future issues with insurance coverage.

However, the Chinese hacking machine is in the business of national security and industrial theft. They certainly can sell confidential data to cyber criminals from other regions to exploit personal data for more pedestrian-level fraud, but they’re after bigger targets.

The confidentiality breach is only a step on the path to the intellectual property they covet, such as understanding the efficacy of certain drugs and treatments. With this kind of personal data, they can better understand how to make investments in counterfeit drugs.

The potentially devastating impact of a breach like this is still not fully understood. When we see Pfizer write down a $3 billion investment in a drug development program for unfair international competition or if we see wide-scale personal data used in fraud, we will be able to write the impact up to a higher level.  The key is that the dragon is at the door step…with a key.

It’s time for companies to step up their game to protect their consumers. And it’s time for consumers to demand that companies protect the information they’ve shared. But to start a path to safe health records, we need a secure health record application standard. Organizations like HITRUST – and their board members – are making a difference, but need more participants.

Small healthcare organizations also need to rethink their entire security architectures. We have reached a point where the attacks have become so sophisticated, they‘ve outstripped the defensive capabilities of all but the most serious experts. Secure cloud-based health record systems are almost certainly a better bet than statically-defended local storage.

Coalfire has worked with thousands of organizations to help them protect their sensitive information. If you’re looking for an honest partner to help move from compliance to cybersecurity and true risk management, give us a call.

Rick Dakin

Author

Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS