Cybercriminals are increasingly targeting the computer networks of hospitals—one recently announced theft involved data from 4.5 million people who had received treatment from Community Health Systems (CHS), a company that runs more than 200 hospitals. Malware attacks are on the rise in many industries, but researchers from the security firm Websense say the rate at which attacks on hospitals has grown during the past year is unparalleled.
Data security is often lax within health-care facilities, and hackers are targeting systems that store troves of valuable personal information held in electronic medical records, according to the Websense researchers, who say they’ve observed a 600 percent increase in attacks on hospitals over the past 10 months.
Carl Leonard, senior manager of security research for Websense, says the so-called Heartbleed vulnerability was used in some of the hospital attacks. The bug, whose existence was first revealed to the public in April (two years after it first appeared), is a flaw in a widely used encryption software called OpenSSL. Criminals can exploit the flaw and trick vulnerable computers into revealing information stored in their memory. The Web security firm TrustedSec, citing sources close to the investigation, reports that the hackers who targeted CHS gained access to the network via the Heartbleed vulnerability.
Software vendors released patches immediately after Heartbleed was revealed, but recent research suggests that hundreds of thousands of systems are likely still vulnerable. Though there are many other ways that malware authors can infiltrate networks and steal sensitive information, “the massive number of systems that are susceptible to this vulnerability is unique,” says Websense’s Leonard.
Exacerbating the problem is that data security has not been a top priority for many health-care organizations. The health-care industry spends very little on IT compared to other industries, says John Halamka, chief information officer and dean of technology for Harvard Medical School. “Where do you think you’re going to find the vulnerabilities?” he says.
Whereas individual stolen credit card numbers and Social Security numbers now fetch relatively little in underground identity theft markets, certain personally identifiable information that can be gleaned from health records can be worth hundreds of dollars to uninsured people wanting to pose as someone else to obtain medical care they couldn’t otherwise afford, says Halamka.
Federal authorities and the security firm Mandiant told the U.S. Securities and Exchange Commission that the CHS data theft was carried out by a sophisticated group from China. Though that group has typically been after intellectual property pertaining to medical devices and equipment, this time, according the SEC filing, it stole “nonmedical patient identification data” and no credit card, medical, or clinical information. Yet it is not known what the hackers were seeking.