A recent data breach at Community Health Systems illustrated the realistic, actual risk posed by connected medical devices when alleged Chinese hackers made off with the sensitive medical information of some 4.5 million people.
A vulnerability in OpenSSL, dubbed Heartbleed, emerged earlier this year. It affected perhaps more than 60 percent of the Internet at one time, and could theoretically give an attacker the ability to steal a certain amount of information during a client-to-server connection. Well, this could be the first real-world, widely publicized instance of criminals or state actors exploiting the nearly Internet-wide vulnerability for personal gain. Specifically, the attackers developed an exploit that allowed them to use Heartbleed to steal login credentials to Community Health Systems.
Who is Affected? How did this Happen?
In particular, this breach exposed the non-medical and non-payment information of 4.5 million patients who had been referred to or received services from physicians affiliated with Community Health Systems in the last five years. While no medical data was exposed, which is good, Social Security numbers (SSNs) were exposed, which is quite obviously bad. In addition to SSNs, attackers made off with patient names, addresses, dates of birth and in some cases, patient employers or guarantors and phone numbers.
The silver lining here may actually be that the attackers in this case were advanced persistent threat actors. They probably weren’t looking for consumer SSNs. In fact, various experts from the security firm Crowdstrike and elsewhere say the attackers probably sought intellectual property relating to medical systems that the People’s Republic could put to use providing care for their aging population.
In this effort, “APT 18” (also known as “Dynamite Panda”) failed. That said, it’s hard to say what they’ll do with this vast store of sensitive information.
A Larger Issue
However, the problem of healthcare data breaches has been one for years, and it isn’t going to get any better any time soon. Here’s why:
When we talk about medical device security, we tend to talk about the fantastic and the grim; tales of remotely hacking insulin pumps and pacemakers, maiming and murdering with laptops. Luckily for anyone with persistent medical condition treated by an embedded and/or connected medical device, the likelihood of assassination by laptop – as I learned in a recent Black Hat briefing – is effectively nonexistent. In fact, Rapid7 medical device security expert Jay Radcliffe said these connected medical devices do far more good than harm.
The problem, for the time being, appears to be more systemic and growing. It relates more to the way that doctors, hospitals and even medical devices store, share and make data accessible. As was pointed out in a discussion with Radcliffe, the most probable scenario through which a connected medical device could impact personal safety would be if a patient was treated improperly due medical records that had been tampered with or changed – whether by hacking or accident.
In an interview on NPR’s Fresh Air with Terry Gross earlier this week, Dr. Sandeep Jauhar, a cardiologist and author, suggested that a big part of the reason why U.S. healthcare lags behind others in the world is because of a lack of information sharing in the country. Thus, in order to improve the U.S. healthcare system – and come into compliance with the Affordable Care Act — there will need to be more connectivity between medical devices, more communications between healthcare providers, more remote access to data and, more likely than not, more exposure of sensitive health information. And this is just in the U.S. Juahar’s statement implies that this sort of data sharing is already going on in countries with more advanced healthcare systems, only perpetuating the problem.
This isn’t to say all is hopeless. The Health Insurance Portability and Accountability Act (HIPAA) is designed in part to protect the security and privacy of consumer healthcare information. Hospitals and manufacturers have guidelines they are required to follow in order to be in compliance with HIPAA. Unfortunately, data breaches are all but inevitable and no security plan is perfect. Everyone – regardless of how hard they try – gets compromised eventually.
What if You Are Affected and How Would You Know?
Community Health Systems is in the process of sending notifications to anyone whose information was exposed in the attack. So what should you do if you receive one of these letters? We recommend you enroll immediately in credit monitoring services, which Community Health Systems will be offering for free to all of the victims. The breach notification letter will contain instructions on how to enroll.
Beyond that, you will want to monitor your credit report on your own to make sure no one is using your SSN to take out lines of credit. Community Health Systems’ breach notification page has contact information, so you should reach out to them if you have any further questions.
Lastly, the Federal Trade Commission has a website dedicated entirely toward walking people through the identity theft reaction process. If ever you are concerned about identity theft, that site is a great place to begin.
Community Health Systems #databreach exposes 4.5M SSNs. Were you a victim & how should you react.Tweet