Suspicion falls on Heartbleed in CHS hack
By Joseph Conn
It seems that healthcare information technology security specialists may have been right back in April when they warned that healthcare data systems were at risk from the then-newly discovered Heartbleed vulnerability.
While there is no official confirmation that the highly publicized Heartbleed bug was used to drain Community Health Systems of the demographic information on 4.5 million patients, an Ohio security firm, TrustedSec, is saying that it was a Heartbleed-enabled hack.
Citing “a trusted and anonymous source close to the CHS investigation” in a blog post on the company's website, TrustedSec said “(t)he initial attack vector was through the infamous OpenSSL “(H)eartbleed” vulnerability which led to the compromise of the information.”
OpenSSL is a widely deployed, open source library of software used to encrypt data moving over a network. The software reportedly was saddled with a defect, dubbed Heartbleed due to the centrality of its affected functions, that had been inserted during a late-night upgrade made two years before it was discovered this spring by a Google engineer and a team from Codenomicon, a security software firm based in Finland.
In healthcare, vulnerabilities created by Heartbleed could include websites, physician and patient portals, secure e-mail services, medical monitoring devices, remote-access PACS/RIS systems and any other computer-based systems that use Open SSL-referenced encryption to protect healthcare data moving over the Internet, warned industry experts back then.
At the time of its discovery, federal officials also were concerned enough about the potential threat from Heartbleed that they recommended citizens change their passwords to the HealthCare.gov health insurance exchange website, as well as the petitions page on WhiteHouse.gov.
Two weeks after the bug was announced, the Canadian police arrested a 19-year-old for using Heartbleed to hack into computers at the Canada Revenue Agency and remove the Social Insurance Numbers of about 900 taxpayers.
Worse, though, Heartbleed enables hackers to lie in wait as data moves across the connection and then copy that unencrypted traffic, mining it for log-ins and passwords, which would enable the hacker to gain deeper access into the system, healthcare industry experts said in April.
And that is what TrustedSec is reporting happened at CHS. “Attackers were able to glean user credentials from memory,” on a network device at CHS during the period of vulnerability to Heartbleed, “and use them to login via a VPN (virtual private network).”
“From here, the attackers were able to further their access into CHS by working their way through the network until the estimated 4.5 million patient records were obtained from a database,” TrustedSec said. “This is no surprise as when given internal access to any computer network; it is virtually a 100% success rate at breaking into systems and furthering access. This is the first confirmed breach of its kind where the (H)eartbleed bug is the known initial attack vector that was used.”
A spokesperson for CHS could not be reached at deadline to confirm whether Heartbleed was involved in its breach.
If it was Heartbleed, will CHS be its last victim? Maybe not.
What makes Heartbleed so insidious—and it remains so even through the ability to patch the hole in security systems it created has been available since April—is that an intrusion using it is extremely difficult to detect.
The CHS breach is the second largest in the history of the “wall of shame” website where breaches involving the patient records of 500 or more persons has been kept since 2009 by the Office for Civil Rights at HHS.
The CHS breach is by far the largest of the 76 on the list attributed to hackers, and the second largest of all 1,083 breaches on the list.
“It is safer to say it is the second-largest known intrusion,” said Martin Linder, principle engineer, CERT Division, Carnegie Mellon University's Software Engineering Institute. But there could be others that have escaped detection.
“We know what we know, but we don't have a clue about what we don't know,” Lindner said. “If an organization is willing to report an intrusion, great, we know about it.” And laws such as HIPAA and Sarbanes-Oxley make reporting of some known breaches more likely. But, Lindner said, “Before you report, you have to know something bad had happened.” And that's not always the case.
Carnegie Mellon's CERT is the founding member of what is now a global network of Computer Emergency Response Teams, sort of the smoke jumpers of the cyber attack world.
And so, you might ask, what is the likelihood there are more CHS-like hacks out there, with their systems breached, but their owners still in the dark about it?
“Incredibly high,” said Lillian Ablon, a RAND Corp. researcher and coauthor of a recent report on global cybercrime.
And would encryption of the CHS data have mitigated the effect? Maybe.
Even though Heartbleed enabled the hackers to decrypt traffic moving across one connection, encryption of the data stored by CHS and stolen by the hackers elsewhere in its system might have helped, Ablon suggested.
Her analogy is to think of hackers as burglars. “Heartbleed allowed for the attackers to steal the key to the front door of the house,” Ablon said. “But the “jewels” might be behind another locked door, or in a safe, which would require a different key—not related to the key used to open the front door.”
Follow Joseph Conn on Twitter: @MHJConn