Application Security // Database Security
8/18/2014
07:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Community Health Systems Breach Atypical For Chinese Hackers

Publicly traded healthcare organization's stock goes up as breach notifications go out.

Investigators say a China-based hacking group is to blame for a data breach that exposed the identities of 4.5 million patients served by or referred to Community Health Systems (CHS), a publicly traded company that owns, leases, and/or operates 206 hospitals in 29 U.S. states. The stolen data included Social Security Numbers, names, dates of birth, addresses, and contact information. However, no credit card numbers or medical records were stolen.

No intellectual property was nabbed either...and that's what's odd.

CHS and Mandiant, which was commissioned in June to conduct the forensic investigation, "believe the attacker was an 'Advanced Persistent Threat' group originating from China who used highly sophisticated malware and technology to attack the Company’s systems," according to a regulatory report the CHS filed with the Securities and Exchange Commission today.

The attack methods are characterestic of a particular APT group, but the type of information stolen -- personal identity information -- is a departure from the norm for the group, which "has typically sought valuable intellectual property, such as medical device and equipment development data," according to the filing. The name of the suspected group has not been revealed. Mandiant declined to comment because the investigation is ongoing.

So why might a group of Chinese APT actors be interested in a fat pile of identity info? And if indeed they're based in China, does it necessarily follow that they are politically motivated, or government-funded? Some people are skeptical.

"The motivation for a state-sponsored desire to get personal identifying information would be pointless," says David Hobbs, Director of Security Solutions at Radware. "The IRS, credit reporting agencies, and other targets have lost much more personal information on U.S. citizens, so the value of this information for politically motivated hacking makes no sense. Allegedly they didn’t steal credit card information which could have been used to gain greater personal intelligence if this were state sponsored."

"One must keep in mind," says Jeffrey Lyon, co-founder of Black Lotus, "that China recently emerged as the world's second largest economy with 618 million Internet users, more than the entire population of the United States. It is entirely reasonable to expect that an uptick in cyber crime will accompany this growth. It is not proper to automatically assume that the Chinese government itself is responsible for these incidents."

It is possible that this might just be the first step in committing other attacks; stealing then selling data to raise money for something else.

“While the number of records is astonishing and makes it one of the largest breaches in the medical field, it may not have been the perpetrators' actual goal," says Jerome Segura, senior security researcher at Malwarebytes Labs. "If the group behind this was one of the suspected hacking unit from China, their motive generally is the theft of intellectual property. Indeed industrial espionage (or medical espionage for that matter) has been a growing and active threat for which most corporations aren't quite prepared against."

Healthcare Lagging

In April, the FBI issued a warning to healthcare providers, informing them that the industry was not as prepared for cyber attacks as other sectors.

"Healthcare lags far behind many other industries in making CIOs report to the CEO, hiring CISOs and making cybersecurity leadership a priority," says Mansur Hasib, author of Impact of Security Culture on Security Compliance in Healthcare. "Being familiar with the US healthcare industry I know that 50 percent of the US organizations run their IT through their Finance or Operations organizations. Therefore technology and cybersecurity officers are not empowered to make the right decisions. In most organizations the CEO does not take the fall for these types of breaches -- they typically make the CIO or CISO the scape goat."

Trey Ford, global security strategist at Rapid7, says that healthcare environments are one of the most difficult industries to protect.  "You have a great deal of personally identifiable information (PII) that achieves high values on the black market; healthcare practitioners often sharing workstations and passwords, coming and going on shifts or in emergencies; and medical devices and systems that are highly regulated and certified for set configurations, so they cannot easily be patched," says Ford. "For these reasons, standard industry practices like network segmentation and scanning are often prohibited."

Costs Not Big Enough?

In the SEC filing, CHS stated that they have cyber insurance to cover them in instances like this and "While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results."

Hobbs notes that CHS could still be hit by fines under the HITECH Act -- which mandates security controls like encryption -- unless their cyber insurance covers negligent business practices. 

The incident has not hurt the company's stock price, either. At the close of business Monday, CHS's stock was actually up.

However, if neither regulatory pressures nor financial pressures will force CHS and similar organizations to harden their security, what will?

"Financial pressures alone has not been sufficient," says Hasib, "because most organizations have been able to get away with offering credit monitoring and other such measures which do not capture the total financial and personal hardship suffered by people who actually suffer from these breaches. We can see even with this breach the executives are only worried about addressing the financial loss. They appear oblivious to the moral wrong of not protecting the public good they have been entrusted with. Until this changes, we will continue to see breaches and problems like this."

Lucky for CHS that their insurance may cover the costs, because they already owe the Department of Justice over $88 million for unrelated reasons. Earlier this month CHS agreed to a settlement to end a DoJ investigation into the billing practices of over 100 of CHS's associated hospitals. The government was investigating whether or not the hospitals had been billing Medicare, Medicaid, and TRICARE for inpatient admissions costs that should have been billed as outpatient or observation visits.   

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
8/19/2014 | 11:13:40 AM
Re: Stockholders 1: Patients 0
Yes, it's a steady drumroll: That healthcare organizations, especially providers, must do more to secure records. Saw a stat somewhere that relatively few providers have a chief security officer; even though HIPAA mandates organizations must name someone to head related issues, some providers (including larger ones) do 'security by committee.' You can imagine how well that works.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
8/19/2014 | 10:33:59 AM
Re: Stockholders 1: Patients 0
The whole fact that 206 hospitals are run by a PUBLICLY TRADED COMPANY seems like a recipe for destruction. I've heard for years that eventually "the market" will make healthcare security a priority. But it hasn't. It might never.  
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
8/19/2014 | 9:50:23 AM
Re: Healthcare Infosec is horrendous
When speaking to CIOs and physicians, several have told me they fear patients' records being manipulated to include false information that could harm (or even kill) patients. They also worry about the cost of insurance fraud related to PHI theft increasing, further straining resources and the economy. Healthcare CIOs, who I believe have one of the hardest jobs in IT, have to 'sell' security to users that want super-simple, easy access that eliminates extra steps (which can harm patients, at times, if the delay is long enough). It's truly a rock and a hard place -- but security is mandatory.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 9:24:47 AM
Re: Healthcare Infosec is horrendous
Yes, I have to agree with you, Alison. It will take a major event to get the healthcare industry to wake up to the threats if faces. Unfortunately, the consequences of a HIT breach are even more consequential and far-reaching than retail.  
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
8/19/2014 | 9:15:45 AM
Stockholders 1: Patients 0
Like Mansur Hasib, I was struck by the comment CHS released reassuring its stockholders that the company's finances wouldn't suffer. That's great and all, but what about patients? Last night I discovered at least two local hospitals - Wuesthoff - in Brevard County, FL, were hit and, having been treated there, I'm waiting for word from them about any impact on my family's records. Some words of apology and reassurance to patients would have been polite.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
8/19/2014 | 9:13:23 AM
Re: Healthcare Infosec is horrendous
One reason HIPAA's age has had little (to no) impact on healthcare security: Until only recently it didn't have any teeth. Speaking to governance and security professionals, the government's steps to add serious penalties to HIPAA was smart and long overdue. Now, these folks have ammunition when recommending how healthcare orgs should protect patient data. Before this, they really didn't -- and too many healthcare CEOs and boards didn't do anything.

Sad as it is to say, when a Target-like breach occurs that might finally open some eyes.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/19/2014 | 8:50:05 AM
Re: Healthcare Infosec is horrendous
Kate Borden wrote a stunning indictment of healthcare security practices in a blog, Healthcare Information Security: Still No Respect earlier this year. She argued that despite more than a decade of HIPAA regulations, healthcare information security officers still struggle to be heard. You are not alone @Robert McDougal!
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/19/2014 | 8:19:57 AM
Healthcare Infosec is horrendous
Coming from a Healthcare infosec background, I can confirm that the industry is no where near prepared for APT's.  Many healthcare organizations believe a firewall is all they need to protect themselves and will not listen to anything different.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio