Healthcare // Security & Privacy
News
8/18/2014
04:42 PM
Connect Directly
RSS
E-Mail

Chinese Hackers Hit Community Health System

Hackers who broke into network hospital group Community Health Systems stole non-medical customer data including credit cards, says new report.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
progman2000
50%
50%
progman2000,
User Rank: Moderator
8/27/2014 | 7:12:31 AM
Not surprising
This doesn't really surprise, as pointed out in the article Patient Data is kept far less secure that retail/banking data and that stuff seems to get breached weekly.  The thought of what a Chinese hacking group wants with a bunch of patient data scares the @$#% out of me though...
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/19/2014 | 9:21:18 AM
Re: More insight
It puzzled me that these hackers reportedly didn't steal either credit data or PHI, but took only other personal info (like SSNs, addresses, and ages). Of course, this information is useful and valuable to cyberthieves but it makes me wonder whether they just happened across CHS, vs. it being a primary target. I'd also love to know more about how the malware was installed, although i suspect (and this is only a guess) it may have entered via social engineering. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/18/2014 | 5:37:54 PM
The Insurance Angle
I wonder whether the insurance companies that offer cybersecurity coverage can play a bigger role in encouraging healthcare organizations to invest more heavily and appropriately in security? I'm not saying that's the case at CHS, but some organizations spend very few dollars or other resources on securing data, networks, physical devices -- despite all the dire warnings coming from multiple sectors, including those without any monetary gain (but lots to lose). Just as your insurance decreases when you install a home alarm system or take a driver's ed class, you'd think rates for cybersecurity insurance could be cut substantially when organizations take multiple proactive steps to reduce risk. Anyone have more insight into this aspect?
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
8/18/2014 | 5:37:29 PM
Re: More insight
Not promising news. Unfortunatley, there is a lot of low-hanging fruit for cybertheives to target. There's a financial incentive for this – because this type of information is value on certain markets.

Hopefully healthcare providers can find solutions to make these types of intrusions harder to perform. 
Ariella
100%
0%
Ariella,
User Rank: Ninja
8/18/2014 | 5:23:01 PM
Re: More insight
@Alison yes, it really is critical that there not be any weak spots.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/18/2014 | 4:53:05 PM
More insight

Here's another comment I received after filing the story:

Even in large complex organizations, the threat of data breaches is determined by the weakest link, which may be a small organization that is a business partner. With healthcare organizations increasingly adopting electronic medical record systems and automating transaction processes, we may see more frequent and  disruptive breaches in this sector, at a time when healthcare organizations are trying to get patients, physicians and partners to adopt electronic records and processes.

 

So healthcare CEOs have to recognize that effective information security management is crucial, not just internally but also in processes involving external stakeholders and open networks.

 

Professor Amit Basu

Carr P. Collins Chair in MIS

Chairman, ITOM Department

Cox School of Business

Southern Methodist University

Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A look at the top stories from InformationWeek.com for the week of September 7, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.