Community Health Systems, a major group that operates 206 hospitals throughout the US, has suffered a massive data breach: personal information of some 4.5 million patients has been stolen from their systems.
Below are some of the comments Help Net Security received.
Eric Chiu, President of HyTrust
The most recent breach at Community Health is a new wake-up call that cyber attacks are the ‘new norm’– whether from organized criminal groups or nation-state sponsored organizations. The fact that 4.5M patient records were stolen is alarming.
This type of data is generally stored on servers in the core of a data center that would require “insider’ (employee) access. It would typically be stolen using employee credentials, which can also mean an outside attacker accessing the organization’s network. In addition, it’s likely that this data was stolen over days or even weeks or months without being detected, which would also indicate that the attack leveraged or came from the inside.
Bottom line: Organizations must do more to proactively address the security of critical systems and data— especially as cyber attacks continue to occur daily.
Jerome Segura, Senior Security Researcher at Malwarebytes Labs
While the number of records is astonishing and makes it one of the largest breaches in the medical field, it may not have been the perpetrators’ actual goal. If the group behind this was one of the suspected hacking unit from China, their motive generally is the theft of intellectual property. Indeed industrial espionage (or medical espionage for that matter) has been a growing and active threat for which most corporations aren’t quite prepared against.
Highly motivated groups are creating custom attacks designed to circumvent traditional security software and often rely on social engineering as part of their process in infiltrating valuable targets. Attackers are able to maintain their cover for long periods while observing activity within the networks they have compromised.
Overall, the medical sector is not as well protected against such attacks as other sectors and often times firms will rely on their liability insurance to cover themselves instead of dedicating a budget for cyber security. This may work from a business standpoint in a typical risk versus cost scenario but it completely ignores the implications on individuals who may face the pain and worry of identity theft or privacy violations.
Aviv Raff, CTO and Chief Researcher at Seculert
While the planting of the malware itself couldn’t have been avoided, the attack should have been detected way before the attackers were able to exfiltrate the personal data of 4.5M people. This is another reason why enterprises are now moving from trying to prevent an attack, into detecting an attack as soon as possible.
We don’t have the exact details. But, looking at similar recent breaches, the attackers were probably able to plant malware which they allowed them to control an internal machine from remote. From that machine, they moved laterally within the organization, looking for the crown jewel data – the details about the 4.5M people, and then used additional attack tools to exfiltrate the data out of the network.
Jonathan French, Security Analyst at AppRiver
This is a pretty big deal. Healthcare systems seem to be getting a closer eye on them by attackers. This may be due to each healthcare provider/network possibly having different standards to information security (some maybe more lax than others). And as the article mentions, The FBI has already warned the healthcare sector they need to step up their security.
Ignoring that it was a healthcare breach and looking at the data, this is similar to most other breaches. The stolen data didn’t appear to have anything healthcare specific to it from what they have said. The data included “patient names, addresses, birth dates, telephone numbers and Social Security numbers”. The big one of those being social security numbers. The other data alone can do damage, but having valid social security numbers and the other information tied to the numbers can possibly cause a lot of damage. And with 4.5 million of these, I imagine this information, if sold, could be pretty profitable for the attackers.
Also as a side note, in the original paper they filed, they do mention they are taking action to notify everyone that was effected and provide credit monitoring services for those individuals. That seems to be the standard response for these types of incidents as of late.
Lamar Bailey, Director of Security R&D at Tripwire
From a consumer standpoint this is the worst type of breach. When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards but when personal information is stolen – name, address, phone number, birth dates, and social security number – it impacts the person and not a company. This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims.
The other concern is that this data can be used on the black market to create new identities for scores of criminals and terrorists. Anyone affected by this breach should freeze their credit immediately to stop new credit accounts from being open without their consent.