U.S. hospital operator Community Health Systems (CHS) has revealed that hackers have broken into its computer network, and stolen the personal data of some 4.5 million patients, including their names and addresses.
Details of the serious security breach were revealed in a filing CHS made today with the Securities and Exchange Commission, which described the attack as “highly sophisticated.”
The attackers are thought to have breached Community Health Systems’ network in April and June this year, accessing details of individuals who were referred for or received services from doctors affiliated with the hospital group in the last five years.
CHS, which has 206 hospitals in 29 states, says that it first confirmed the security breach in July and claimed in the SEC filing that the hacking gang responsible for the “Advanced Persistent Threat” originated in China.
CHS has been working closely with a security vendor and federal law enforcement agencies to investigate and possibly prosecute those responsible for the attack.
However, if the company’s theories about the hackers being based in China are correct then I would be surprised if they make much headway in bringing the perpetrators to justice.
Although it’s obviously good news that patient credit card, medical and clinical information are not thought to have been exposed in this particular attack, the treasure trove of exfiltrated data did include patient names, addresses, birthdates, telephone numbers and social security numbers.
Under Health Insurance Portability and Accountability Act (“HIPAA”) legislation, regulatory agencies and affected patients will now need to be notified of the breach.
The sad truth today is that hackers aren’t just after your credit card details – they’re interested in your personal medical history and insurance data, too.
And the rise of online portals for patients to manage their personal insurance plans has just increased opportunities for online criminals to steal the wealth of personal information that is contained within.
Tripwire security researcher Ken Westin agrees:
“Hospitals are hot targets for thieves due to the rich amount of data they can harvest from hospital data systems, the billing information and other data, such as social security numbers, provides all of the components needed for identity theft and credit fraud.” “Although heavily regulated and requiring a compliance with HIPAA, for example, hospitals have traditionally just focused on compliance as a check box without ensuring that underlying policies and frameworks are in place to provide true security that compliance alone cannot provide. Many of the devices carried by medical staff, as well as increasingly networked medical devices, make security a further challenge in environments that generally do not invest as heavily as they should in IT infrastructure and security.”
What has become apparent is that if a hacker manages to seize your health insurance credentials they can exploit it in ways which may be a lot less obvious to affected individuals than a simple raid on a bank account.
For instance, criminals could use the detailed information for the purposes of identity theft and fraud, or exploit stolen medical records to impersonate patients in order to obtain prescriptions for controlled substances, which they can then sell on to others.
Unfortunately it appears that the medical and health insurance industries have not been as proactive in protecting their customers’ data as the banks.
This is borne out by a warning issued by the FBI in February, which advised healthcare operators that the industry’s security systems are substandard and provides too many opportunities for hackers to break in and seize medical and health insurance data.
Hospitals and health agencies need to clean up their act, and work harder to properly protect the valuable personal information that patients entrust to them. Layered defenses that go beyond just relying on traditional anti-virus solutions need to implemented to prevent hackers from breaching computers systems and stop them from exfiltrating sensitive data.
It’s all too easy to blame a breach on “highly sophisticated” hackers using “advanced persistent threats” and wave a vague hand in the direction of China, but the fact of the matter is that organizations are failing to properly defend the data at their heart.
If things don’t get markedly better, individuals will lose trust and take their business elsewhere.
- Attacks on Healthcare Organizations Spike
- The State of Security and Risk Management in Healthcare
- Is EMET Dead?
- Challenging the Current State of Security
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].