Is Heartbleed Behind Healthcare Breach?Analyzing the Cause of Community Health Systems Compromise
The breach at Community Health Systems that compromised information on 4.5 million patients was the result of hackers taking advantage of the Heartbleed flaw, according to one security vendor, which cites an anonymous source. Meanwhile, other security experts are weighing in on whether the OpenSSL vulnerability could have been the pathway to sensitive information.
TrustedSec, an information security consulting service, says it learned from a "trusted and anonymous source close to the CHS investigation" that the initial attack vector into the hospital chain's systems was the OpenSSL vulnerability.
"Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability ... and use them to log in via a VPN [virtual private network]," TrustedSec said in an Aug. 19 blog.
From there, the attackers were able to further their access into the hospital chain's systems by working their way through the network until the patient information was obtained from a database, the security firm says.
David Kennedy, CEO at TrustedSec, which is not involved in the investigation, tells Information Security Media Group that the Heartbleed vulnerability was the "initial entry point" for the breach. When asked why the unnamed source went to TrustedSec with the information, Kennedy replied: "They were not authorized to speak on behalf of CHS or the investigation publicly."
Community Health Systems did not immediately respond to a request for comment.
Heartbleed exposes a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications, such as e-mail, instant messaging and some virtual private networks (see: Heartbleed Bug: What You Need to Know).
The OpenSSL vulnerability was exploited in April by a hacker who compromised the Canada Revenue Agency website (see: Teen Charged in Heartbleed Breach). Mumsnet, a UK website for parents, forced all of its users to change their passwords after it discovered that a cyber-attacker had taken advantage of the Heartbleed bug to access data from users' accounts (see: Heartbleed Breach Reported in UK).
To mitigate the risks, organizations should have updated to Fixed OpenSSL and regenerated sensitive information, such as secret keys and passwords, for any system that may have been exposed, security experts say.
Questioning Heartbleed Connection
Information security experts offer widely varying reactions to the TrustedSec announcement about the Heartbleed vulnerability.
"Until we have a complete analysis, opinions on the cause are speculative," says Christopher Paidhrin, security administration manager in the information security technology division of PeaceHealth, a healthcare delivery system in the Pacific Northwest.
But others say evidence could connect the dots between the OpenSSL flaw and the Community Health Systems breach.
"The Heartbleed vulnerability was disclosed April 7," says Alan Dundas, a security architect and vice president at Authentify, an authentication provider. "Community Health has indicated they were breached in April and June. If one were to read those tea leaves, it's entirely possible Heartbleed was the culprit."
Heartbleed can also "slip through the cracks" easily, says Robert Graham, CEO of research firm Errata Security. "Organizations often believe they are fully patched, but aren't," he says. If the hospital chain had an unpatched system, then it would be easy for attackers to view information, such as patient credentials, he adds.
Kennedy at TrustedSec contends the Heartbleed connection to the hospital chain breach shows that hackers were actively attacking companies "almost instantly" when news of Heartbleed first went public. "Many other companies could have been impacted, attacked and possibly gone unnoticed," he says. "This is one of many to follow, unfortunately."
How to Respond
Regardless of whether Heartbleed is tied to the hospital chain breach, organizations should address their vulnerabilities now.
"This is a case where patching 99 percent of systems is 0 percent effective at remediating the vulnerability," says Mike Weber, vice president at Coalfire Labs, a forensics firm. "Patching, regenerating private keys, acquiring new SSL certificates, and changing user credentials on all affected systems is the only way to effectively mitigate this threat."
Regardless of how the breach occurred, every organization needs to ask itself, "What is valuable to us, worth protecting, and what are we willing to do, and pay, to protect it?" Paidhrin says.
"Every organization has a responsibility to their stakeholders and customers to apply due care and due diligence," he says. "The information age has become the cybersecurity age. Organizations that do not have risk identification and remediation programs are not tempting calamity, but inviting it."
Mandiant, which is providing forensics services to the hospital chain, believes that an "advanced persistent threat group originating from China used highly sophisticated malware and technology to attack the company's systems," according to Community Health System's 8-K filing to the U.S. Securities and Exchange Commission.
In its 8-K filing, the hospital chain says the attack most likely occurred in April and June. Attackers used highly sophisticated malware to bypass Community Health System's security measures and successfully copy and transfer certain information out of the system, the filing says.
Compromised information includes names, addresses, birthdates, telephone numbers and Social Security numbers for patients who, in the last five years, were referred for or received services from physicians affiliated with Community Health Systems, which operates 206 hospitals in 29 states.