A great hacker will find HIT system flaws, exploit them
When you think about how an “advanced persistent threat,” i.e., a hacker, works, think of a professional quarterback like the Green Bay Packers' Aaron Rodgers.
Smart, capable and most of all flexible, a pro QB will read a defense and exploit whatever weakness it offers. He might look first for a 50-yard TD strike to the split-end running a fly down the sideline. But if the cornerback has that guy covered, he'll look next for the flanker on a cross 20 yards deep. If the safety is blanketing the flanker, the wily QB will take what he can get, either dumping off to a halfback sneaking in front the linebackers in the hook zone 7 yards downfield or, if the tackles are split and he's fleet afoot like Rodgers, running the ball himself.
That progression gives you some sense of the nature of the hacker, or hackers, that scored 4.5 million times on Community Health Systems recently.
According to CHS' filing with the Securities and Exchange Commission on Monday, the publicly traded hospital chain, quoting its forensic expert, Mandiant, reported that their hacker or hackers had stuck in April and June and were an “advanced persistent threat” originating from China.
Federal authorities joined Mandiant in informing CHS that the intruder “typically sought valuable intellectual property, such as medical device and equipment development data.”
Having found vulnerability in a computer system serving CHS' physician practices but, apparently, no intellectual property, the hacker seemingly “checked off” and stole what was at hand, the names, addresses, Social Security numbers and other demographic data on 4.5 million patients.
It's info that won't enable the hacker to purloin the latest health tech breakthrough, but it's still quite valuable to identity thieves.
If there is Karma to befall the CHS hacker, the sheer magnitude of their success—the breach is the second largest in the history of the “wall of shame” kept by the Office for Civil Rights at HHS, and the largest attributable to a hacking incident—is likely to have a detrimental impact on his or her marginal returns.
According to a report, “Markets for Cybercrime Tools and Data: Hackers' Bazaar” released this year by the RAND Corp., after a large breach, “the (black) market may be flooded with data, causing prices to go down.” One expert RAND cited said the price of a stolen record dropped from $15 to $20 each to 75 cents over as short period.
An advance persistent threat is a particular type of malware that stalks the Internet relentlessly, always looking for vulnerability, said data security expert Michael “Mac” McMillan. And when it finds a weakness, “it can create temp files and transfer things out. It's got multiple capabilities to do harm. Whenever it is lucky enough to find a network that is vulnerable to it, it just does its thing.”
Like Rodgers does often to the Chicago Bears.
How did CHS and Mandiant know the attack stemmed from China?
An Internet Protocol, or IP address, is assigned to computer systems on the Internet. There is a regional, geographical component to them, so the location of an attacking computer can be identified through them. “But to some degree, it's still kind of circumstantial,” McMillan said. “They come out of Indonesia, Russia, China and Africa, where we don't have good cooperation for investigation.”
So in the end, an attack that appears to be coming from a computer abroad, “may be coming out of Sacramento and they're using a server in Africa they control, knowing when the trail hits there, it goes cold.”
Constant vigilance is the burden healthcare IT defenders must bear in this endless game against hackers, according to McMillan. There are no half times and no TV time outs.
“That's why patching is so important,” McMillan said. “For every system you deploy on the network, there are settings and patching that make it less vulnerable to threats.”
Controlling new software or upgrades and reviewing them for risks before they're installed on the network is crucial, too, he said.
“We have to be right all of the time and the hacker only has to be lucky once.”
Follow Joseph Conn on Twitter: @MHJConn