What Healthcare Should Learn from CHS' Heartbleed Breach

The widely publicized recent Community Health Systems data breach that compromised the private information of about 4.5 million patients, has been shown to have resulted from the Heartbleed vulnerability – marking the first time Heartbleed has been linked to an attack of this size. According to researchers, these events should point out changing security concerns for the healthcare environment.

TrustedSec said that it gained confirmation of Heartbleed as the initial attack vector from “a trusted and anonymous source close to the CHS investigation.” Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability and use them to log-in via a VPN.

“From here, the attackers were able to further their access into CHS by working their way through the network until the estimated 4.5 million patient records were obtained from a database,” the firm explained in a blog. “This is no surprise as when given internal access to any computer network, it is virtually a 100% success rate at breaking into systems and furthering access.  This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used. There are sure to be others out there, however this is the first known of its kind.”

Chris Wysopal, co-founder and CTO of application security company Veracode, said that the Heartbleed angle underscores the fact that healthcare vendors also need to be mindful of all products with open-source components, so they can react quickly when new vulnerabilities are made public.

“Vendors need a way to quickly understand where they have built products with open-source components,” he said in an email. “All products should use software composition analysis with an alerting mechanism for rapid response when a new vulnerability is made public in an open-source component. And if the software component analysis tool integrates with a SAST solution, all the better, so they can instantly find all locations components in their previously scanned code.”

Michael Coates, OWASP chair and director of product security at Shape Security, told Infosecurity that what complicates this hack even further is the rise of the internet of things (IoT) and the fact that everything in a hospital is wired these days – from printers to imaging devices or tablets being used by doctors on the wireless network. Many of these devices aren’t secure, and with hackers exploiting vulnerabilities like Heartbleed – breaking into one device could potentially break into the whole system.

“The internet of things is further exacerbating the security challenges of healthcare by adding to the complexity and quantity of systems that must be secured,” he explained in an interview. “Every new internet-enabled device is a new potential vulnerability point for an attacker to gain a foothold into the hospital network and access to patient data.”

IoT will also require healthcare providers to focus on very new frontiers for potential security weaknesses, as the definition of “internet-enabled device” continues to widen.

“The IoT will enable devices such as baby monitors, insulin pumps and even swallowed pills to communicate over the internet,” Coates said. “If not properly secured, attackers could access sensitive medical data and, in the worst case, potentially modify the functionality of the medical device itself.”

He added, “It is paramount that security is a primary factor in the design of internet enabled devices. In addition, healthcare providers must understand their responsibility to securely configure and maintain these devices.”

The healthcare sector suffers from other unique challenges as well—including an entrenched mind-frame of compliance.

“A big issue for the healthcare industry is the dangers and limitations of the compliance audit mentality,” Armond Caglar, senior threat specialist at TSC Advantage, told us. “Even though the Community Health Systems breach did not target records that were patient-related, it is nonetheless a wakeup call (as if there needed to be another one) for the greater healthcare industry to think about security, and not just in terms of satisfying compliance requirements. Now more than ever, hackers are targeting personal information and patients’ records, and covered entities and business associates alike must incorporate and exceed HIPAA compliance in order to avoid catastrophic data breaches. The baseline does not appear to be enough.”

The incident also simply demonstrates the need that all organizations have for hyper-vigilance when it comes to looking for infiltrations. "This is another example of how hackers use technical exploits and tools - in this case, Heartbleed - to steal credentials and move undetected within the IT environment by impersonating employees,” added Nir Polak, CEO and co-founder, Exabeam, in an interview. “The problem with the industry today is that it's too easy for hackers to steal credentials, and once they get them it's game over. It underscores the need for healthcare companies to more quickly identify these imposters by monitoring the network for suspicious user activity before a breach takes hold, rather than focus efforts defending against attack tools."

Additionally, healthcare companies should revoke any SSL certificates derived from certificate signing requests (CSR) that may have had their keys compromised.

“Organizations can accomplish this by contacting the certificate authority that issued the SSL certificates,” Jeffrey Lyon, co-founder at Black Lotus, told Infosecurity. “To make matters worse, this measure does not guarantee that the stolen keys will not be used, as many popular browsers do not check for revocation by default. As a result, side effects from Heartbleed will continue for many months or even years post-remediation.”

What’s Hot on Infosecurity Magazine?