Healthcare // Security & Privacy
News
8/18/2014
04:42 PM
Connect Directly
RSS
E-Mail
50%
50%

Chinese Hackers Hit Community Health System

Hackers who broke into network hospital group Community Health Systems stole non-medical customer data including credit cards, says new report.

10 Health Apps That Might Make You Sick
10 Health Apps That Might Make You Sick
(Click image for larger view and slideshow.)

Hackers might have stolen the personal data of approximately 4.5 million people, hospital group Community Health Systems disclosed Monday.

Cyberthieves accessed the general acute-care hospitals operator's network in April or June, said Community Health Systems (CHS) in an SEC report. Data included patient names, addresses, Social Security numbers, birth dates, and telephone numbers, but did not include patient credit or health information, CHS said. The records came from people who were referred to or received treatment from the organization over the past five years, it said.

CHS affiliates "own, operate, or lease 206 hospitals in 29 states, with approximately 31,100 licensed beds," according to its website.  In its most recent financials, released on July 31, the organization reported net operating revenue for the three months that ended June 30 of $4.779 billion, a 49.8% increase over net operating revenue of $3.191 billion for the same period in 2013.

[Internet outages hit one online electronic health records vendor hard last week. Read Practice Fusion EHR Caught In Internet Brown-Out.]

Forensic expert Mandiant (acquired by FireEye in January) and CHS believe the network hacker was an advanced persistent threat group from China that used "highly sophisticated malware and technology" to attack the network. Hackers bypassed CHS's security infrastructure, then used their illegal access to copy and transfer patients' data, the report said.

CHS did not respond to InformationWeek's request for an interview by press time.

After being hired by CHS in June to investigate the intrusion, Mandiant helped CHS implement measures to "increase its ability to inhibit, detect, respond, and contain future advanced attacks." said Charles Carmakal, managing director of Mandiant, via email.

Mandiant notified federal law enforcement officials of the break-in, CHS said. In the past, the suspected hackers have pursued intellectual property, including medical device and equipment development information, although in this breach they stole patient data.

In addition to removing the malware and implementing additional "remediation efforts," CHS is offering identity theft protection services to those potentially affected by the breach. The organization's cyber/privacy/liability insurance protects Community Health Systems from certain losses related to breaches, it said.

"I think the most important takeaway for healthcare CIOs/CEOs is that healthcare has to make similar investments in information security as the banking and financial industry has recently done," CISSP and information security consultant to the Los Angeles County Department of Public Health Sascha Schleumer told InformationWeek. "From the perspective of malicious hackers, why bother going after difficult targets when there are so many in the healthcare sector that have fewer protections. It's the same reason HR departments and tax preparers are being targeted -- less effort and more reward for the criminals."

Healthcare security in general is less secure than retail, BitSight Technology determined earlier this year. As InformationWeek reported in May, healthcare took the longest time to respond to a breach -- taking more than five days to remediate illicit access -- compared with retailers' average four-day response.

The breach notification comes only weeks after Community Health Systems entered a settlement agreement with the US Department of Justice after an investigation into short-stay hospital admissions through emergency departments at some of its affiliated hospitals. The government concluded that 119 hospitals billed various payers for inpatient treatments that should have been billed as outpatient or observation cases. Under the agreement, Community Health Systems and affiliated hospitals agreed to pay more than $88 million but admitted no wrongdoing. It also entered into a five-year corporate integrity agreement (CIA) that's been incorporated into the organization's existing compliance program.

You can hear more about this article on this week’s episode of InformationWeek Radio. We’ll be talking with the author at 2:00 PM EDT on Tuesday, August 26 — we hope you’ll join us! Register here.

You've done all the right things to defend your organization against cybercrime. Is it time to go on the offensive? Active response must be carefully thought through and even more carefully conducted. This Dark Reading report examines the rising interest in active response and recommends ways to determine whether it's right for your organization. Get the new Identifying And Discouraging Determined Hackers report today (free registration required).

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
progman2000
50%
50%
progman2000,
User Rank: Ninja
8/27/2014 | 7:12:31 AM
Not surprising
This doesn't really surprise, as pointed out in the article Patient Data is kept far less secure that retail/banking data and that stuff seems to get breached weekly.  The thought of what a Chinese hacking group wants with a bunch of patient data scares the @$#% out of me though...
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/19/2014 | 9:21:18 AM
Re: More insight
It puzzled me that these hackers reportedly didn't steal either credit data or PHI, but took only other personal info (like SSNs, addresses, and ages). Of course, this information is useful and valuable to cyberthieves but it makes me wonder whether they just happened across CHS, vs. it being a primary target. I'd also love to know more about how the malware was installed, although i suspect (and this is only a guess) it may have entered via social engineering. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/18/2014 | 5:37:54 PM
The Insurance Angle
I wonder whether the insurance companies that offer cybersecurity coverage can play a bigger role in encouraging healthcare organizations to invest more heavily and appropriately in security? I'm not saying that's the case at CHS, but some organizations spend very few dollars or other resources on securing data, networks, physical devices -- despite all the dire warnings coming from multiple sectors, including those without any monetary gain (but lots to lose). Just as your insurance decreases when you install a home alarm system or take a driver's ed class, you'd think rates for cybersecurity insurance could be cut substantially when organizations take multiple proactive steps to reduce risk. Anyone have more insight into this aspect?
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
8/18/2014 | 5:37:29 PM
Re: More insight
Not promising news. Unfortunatley, there is a lot of low-hanging fruit for cybertheives to target. There's a financial incentive for this – because this type of information is value on certain markets.

Hopefully healthcare providers can find solutions to make these types of intrusions harder to perform. 
Ariella
100%
0%
Ariella,
User Rank: Ninja
8/18/2014 | 5:23:01 PM
Re: More insight
@Alison yes, it really is critical that there not be any weak spots.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
8/18/2014 | 4:53:05 PM
More insight

Here's another comment I received after filing the story:

Even in large complex organizations, the threat of data breaches is determined by the weakest link, which may be a small organization that is a business partner. With healthcare organizations increasingly adopting electronic medical record systems and automating transaction processes, we may see more frequent and  disruptive breaches in this sector, at a time when healthcare organizations are trying to get patients, physicians and partners to adopt electronic records and processes.

 

So healthcare CEOs have to recognize that effective information security management is crucial, not just internally but also in processes involving external stakeholders and open networks.

 

Professor Amit Basu

Carr P. Collins Chair in MIS

Chairman, ITOM Department

Cox School of Business

Southern Methodist University

Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.