IoT
IoT
Healthcare // Security & Privacy
Commentary
11/25/2014
08:36 AM
Paula Knippa
Paula Knippa
Commentary
100%
0%

What Healthcare Can Learn From CHS Data Breach

Security breach that exposed personal data on 4.5 million Tennessee healthcare system patients offers key lessons to prevent similar cyber attacks.

9 Healthcare Innovations Driven By Open Data
9 Healthcare Innovations Driven By Open Data
(Click image for larger view and slideshow.)

Tennessee-based Community Health Systems (CHS) disclosed in its Form 8-K SEC filing in August that its computer network had been hacked at least twice in April and June of 2014 through criminal cyber attacks originating from China. All healthcare organizations can learn from one health system's breach.

CHS -- which owns, operates, and leases 206 hospitals across 29 different states -- confirmed that these hacking incidents resulted in the theft of non-medical, patient-identifying information of 4.5 million individuals who had, in the last five years, been referred to or received services from physicians affiliated with CHS. This information included patient names, addresses, birthdates, telephone numbers, and social security numbers.

[More lessons learned: Inside A HIPAA Breach.]

Although CHS portrays the attacks as incidents in which hackers used highly sophisticated malware and technology to attack its system -- and were thereby able to bypass its security measures to access the personal data of millions of patients -- sources closer to the investigation have described a different scenario. According to these sources, CHS's system was hacked through a test server that was never intended to be connected to the Internet at all. Because Internet connectivity was not contemplated, the security features that would -- and should -- be deployed in a live production server were not installed on the test server.

Unfortunately, sensitive VPN credentials were stored in the memory of the test server so, when it did become connected to the Internet, hackers were able to access the test server via the Heartbleed bug and obtain those VPN credentials. Hackers then used these credentials to access CHS's system and steal millions of patients' personal information. In a sense, it was as though CHS left the lights on and a note on the door, saying, "Hey, come on in. The key is under the doormat!"

Utterly voidable
In these days of seemingly daily reports of data breaches, the danger lies in the potential for complacency in those charged with overseeing the design, implementation, and maintenance of cyber-security measures to protect data that healthcare companies collect from their patients. In other words, those responsible for corporate leadership and governance in the area of cyber security will become passively resigned to the perceived "inevitability" of a data breach, instead of systematically -- and systemically -- reviewing and transforming the company's cultural approach to cyber security and risk management.

(Source: University of Maryland/Flickr)
(Source: University of Maryland/Flickr)

For example, in this case, if cyber security had been ingrained as a paramount priority in the development, maintenance, and security teams at CHS, a "test" server would never have been loaded with valuable VPN credentials without the corresponding cyber-security features to prevent unauthorized access in the event that the server was ever connected to the Internet. If this is in fact how the data breaches occurred, this was an utterly foreseeable occurrence that could have been easily anticipated and guarded against.

What can healthcare learn?
The healthcare industry has developed -- as it must -- policies, procedures, and redundancies to protect patients from mistakes made in a medical treatment context. The same approach should be taken to protect patients' personal identifying information. Healthcare organizations must conduct a thorough review of their cyber-security policies and procedures for their computer network and data systems from their initial development to their implementation, maintenance, and ultimately, retirement. They should then document these policies and procedures and bring in an independent third-party vendor to review them to identify any gaps or vulnerabilities that could be exploited by cyber criminals.

Having documented these cyber-security policies and procedures -- and closed any gaps or vulnerabilities identified by a thorough, independent review -- healthcare organizations should then monitor, on an ongoing basis, compliance by their employees and/or vendors with those documented policies and procedures. Incorporating cyber security as a core value in a healthcare organization's culture is essential to minimizing, if not altogether eliminating, the risk of a data breach that damages not only the healthcare organization, but the patients who have entrusted their personal information to its care.

How cloud, virtualization, mobility, and other network-altering trends impact security -- and the IT pros responsible for infrastructure protection. Get the Network Security Career Guide issue of Network Computing today.

Paula Knippa, an attorney in the Austin office of Slack & Davis , represents clients in a range of litigation matters, including complex aviation and non-aviation business litigation, class and mass actions, as well as products liability and catastrophic personal injury ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
12/1/2014 | 12:03:18 PM
Re: Oversight is Inevitable, So Prepare Accordingly
Thanks so much for your kind words and for reading my articles, @RiskIQBlogger. Appreciate it! :)
RiskIQBlogger
50%
50%
RiskIQBlogger,
User Rank: Apprentice
12/1/2014 | 11:49:21 AM
Re: Oversight is Inevitable, So Prepare Accordingly
I'm looking forward to your next point @Alison_Diana. This is a topic I follow pretty closely. Great job on this latest one!
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
12/1/2014 | 10:04:59 AM
Re: Misfeasance
The lack of CISOs -- or hiring CISOs who have zero authority -- will continue to bite healthcare organizations on the rump, as I will discuss in an upcoming piece on security in healthcare, later this week. (Or should that be insecurity in healthcare in 2015?)
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
12/1/2014 | 10:03:16 AM
Re: Oversight is Inevitable, So Prepare Accordingly
You are so right, @RiskIQ, that some things will fall through the cracks. In CHS' case, recall they originally blamed their EHR, a condemnation the developer speedily (and accurately it turned out) denied. That's another lesson I'd take away: If you're unsure of the reason, don't say anything to the media (on or off the record) until you've done your due diligence. And do your best to make sure all the other agencies you're working with in law enforcement agree to take the same stance.
asksqn
50%
50%
asksqn,
User Rank: Ninja
11/27/2014 | 10:57:24 PM
Misfeasance
LOL to most negligent corporate entities such as CHS that are too cheap to hire competent Infosec personnel, showing the CEO how to bold text in MS Word represents "highly technical & sophisticated" software.  

 

 
RiskIQBlogger
50%
50%
RiskIQBlogger,
User Rank: Apprentice
11/26/2014 | 11:59:26 AM
Oversight is Inevitable, So Prepare Accordingly
Of course CHS would like to believe it was a sophisticated attack and perhaps it was. However, the idea that it was an unaccounted for connected test server seems very plausible. 

If it was indeed a connected test server, its very easy with 20/20 hindsight to say this breach could have been prevented. In my opinion that's an unsuccessful security posture.

I think its better to assume things will fall through the cracks and prepare accordingly. We've conducted many large scale studies into the frequency of rogue digital assets tied to brands, like rouge web infrastructure, unknown websites/apps on or off domain/ASN, rouge mobile apps., etc.

Its across the board in every type of organization, in all industries, that something belonging to them exists that's connected to the Internet, that is unknown and thus outside the scope of a given organization's security program.

At first glance this gap may appear harmless, but its now leading to data breaches large and small because so much valuable data is being collected and stored in so many different ways.  

 

 

 

 
Ariella
50%
50%
Ariella,
User Rank: Author
11/26/2014 | 11:03:02 AM
Re: data breaches
@Alison sure, we've been programmed to fill in all the blanks on doctor's forms, just as we're programmed to accept every test that they say they want to run. A pearl of wisdom from a doctor for better health was "Stay out of hospitals and refuse all tests (unless they explain that it is necessary for a particular reason." Otherwise, every single patient in a hospital will get a daily blood test even when it is not relevant to his/her condition. They also tend to feed all patients Colace without considering actual necessity.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
11/26/2014 | 10:57:08 AM
Re: data breaches
You raise a great point, @Ariella. Many organizations request medical information as a matter of course. And I still find healthcare organizations requesting Social Security numbers. My daughter saw a couple of doctors recently; the SSN line had not been crossed out (as it has at many healthcare providers) and one office even asked me to add her information after I left it blank. I responded that they are not allowed to request that information any more and I would not provide it, even if I knew her SSN. But how many people fill in that data as a matter of course, particularly as more practices (daycares, field trip providers, and others) now allow guardians to complete this information from home?
Ariella
50%
50%
Ariella,
User Rank: Author
11/25/2014 | 10:49:03 AM
data breaches
The thing is that even without a breach, that kind of data gets out all the time. Have you ever looked at the required medical form for a school or camp? It asks for all kinds of personal information way beyond the record of immunizations. And the schools and camps likely keep the paper files in unsecured locations.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of August 21, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.