Breaking News–updated at end Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware.
CHS discovered this in July and has been working with security firm Mandiant and Federal law enforcement. Their tracing back of the hackers’ M.O. is that they typically seek intellectual property on medical equipment and development software, but failing that raided patient names, addresses, birth dates, telephone numbers and Social Security numbers. The company owns, operates or leases 206 hospitals in 29 states, and management has offered affected patients identity theft protection programs.
The Modern Healthcare report quotes Michael McMillan of CynergisTek on increasing hacks aimed at healthcare institutions. Hospitals are “going to become a bigger and bigger target as the hacking community figures out it’s easier to hack a hospital than it is to hack a bank and you get the same information,” McMillan said. “I’m not sure healthcare is listening yet.”
Update 20 Aug: Reuters reports that the hackers operating from China took advantage of the ‘Heartbleed’ bug by targeting vulnerabilities in the CHS virtual private network (VPN) used for employee remote access. The hackers used stolen credentials to enter the network and took it from there. The VPN used equipment from provider Juniper Networks. Reuters interviewed David Kennedy, chief executive of TrustedSec LLC, who last appeared here in his damning Congressional testimony on the multitudinous security flaws of Healthcare.gov, towards the end of our beating that particular stick into the ground. (We note that the possibility of Belarusian backdoors in that website surfaced once and were never confirmed–or denied.) One question: Heartbleed was discovered in April. It would have been logical for CHS’ IT security to be looking for it, and for an April attack to be discovered then. It was not discovered till July after a second attack.