Healthcare Providers targeted by Cyberattacks
21 · AUG ·2014
Individuals and businesses tend to be the main targets of cyberattacks in the West, particularly those that hold data such as financial details which can be used by cybercriminals. However, recent reports have suggested that hackers are now targeting healthcare providers in the US, including Community Health Systems.
It has been claimed that the healthcare provider was targeted two times – in April and in June of this year – and that 4.5 million patients’ personal details were stolen during the attacks. Data acquired by hackers included patient names, addresses, birthdates, telephone numbers and social security numbers, which can all be used to carry out identity fraud. Community Health Systems has claimed that no medical or financial details have been stolen, however this doesn’t mean that patients won’t be adversely affected in the future.
Discussing the issue, Lamar Bailey, director of security research and development at cybersecurity firm Tripwire, said: "When financial data is stolen, such as when credit card numbers are stolen from retailers, the retailer and card issuers are hit with the fraudulent charges and the costs for generating new cards. But when personal information is stolen - name, address, phone number, birthdates, and social security number - it impacts the person and not a company. This is the information needed for identity theft to allow criminals to open accounts in the names of the 4.5 million victims."
The FBI confirmed to Reuters that the attacks took place and that they believe the cybercriminals originate from China as the attacks were very similar to those carried out previously by a well-known Chinese hacking group. The attack was made possible due to the Heartbleed bug which was first revealed in April this year and exploits a flaw in OpenSSL. It is believed that the hackers were able to bypass Community Health Systems’ OpenSSL cryptography and access data that should have been digitally scrambled.
Even though the Heartbleed flaw was first reported in April, some companies have struggled to implement patches in order to protect their networks – including Community Health Systems. David Kennedy, chief executive of cybersecurity firm TrustSec, said: "What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay. Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place."
America is one of the most targeted countries in the world for cyberattacks, particularly from countries such as China. In order to demonstrate this, cyberattack intelligence specialist Norse recently created a ‘Live Threat Map’ which shows attacks happening across the globe in real-time. They claim that their map can help organisations block attacks that other systems miss, however in order to protect themselves users must also implement their own security measures such as installing firewalls and anti-viruses which can help protect their networks from hackers.
It’s not just in the US where details of medical patients are at risk however, as shown by the hacker group Lulz Security who recently messaged the NHS to let them know that they had found a way to access their network. In an email to the health provider, the group said: "While you aren't considered an enemy - your work is of course brilliant - we did stumble upon several of your admin passwords. We mean you no harm and only want to help you fix your tech issues."
The group also posted part of their email on Twitter, however blacked out the names of the administrators whose details they had gained access to. The Department of Health responded to the group’s warning shortly after, with a spokesperson saying: "This is a local issue affecting a very small number of website administrators. No patient information has been compromised. No national NHS information systems have been affected. The Department has issued guidance to the local NHS about how to protect and secure all their information assets."