The recent massive Community Health Systems breach, which resulted in the compromise of personal information of some 4.5 million patients, was executed by exploiting the infamous OpenSSL Heartbleed vulnerability.
The claim was made by David Kennedy, CEO of security consulting firm TrustedSec, who said that while he and his company aren’t involved in the breach investigation, he got the information from three different people close to the investigation. CHS has not commented the matter.
“Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN,” Kennedy revealed in a blog post. “From here, the attackers were able to further their access into CHS by working their way through the network.”
CHS has reported that the attack happened in April and June 2014, which coincides with the public revelation of the existence of the Heartbleed bug. It is entirely possible that the attackers took advantage of the short period in which the company’s systems were vulnerable to it.
“The time between 0-day (the day Heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organization where monitoring and detection become essential elements of it security program. Having the ability to detect and respond to an attack when it happens is key to enacting incident response and mitigating the threat quickly,” Kennedy pointed out.
“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay. Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place.”
The breach has elicited many reactions from the security community, some of which you read here.