In an interview Thursday, Kennedy also wouldn't identify his sources, averring that there was more than one contact who leaked the information to him and that they were credible. The timing of the attacks, in April and June, provide some independent, albeit circumstantial support, to Kennedy's assertion of a Heartbleed connection.
The vulnerability was first disclosed in early April. A patch was made available promptly. But there is a critical difference between knowing of a patch and applying it throughout a computer network, particularly in a vast organization like CHS, which claims 206 hospitals in 29 states. With hackers able to move at the speed of the Internet, time is not on the defenders' side.
Lillian Ablon, a researcher at RAND Corp., and co-author of a report on the burgeoning marketplace for cybercrime, pointed out another security firm, Errata Security, reported in June that Heartbleed patch work (on all systems, not just in healthcare) spiked at the announcement, but has since leveled off, leaving 300,000 systems still vulnerable.
For those who used an encryption system drawing on the Heartbleed impacted OpenSSL library, “Even though a patch might exist, it can be difficult to implement,” Ablon said. Doing so may require slowing down or stopping business or a critical piece of equipment for testing or compliance requirements. “So it's not as though people don't want to patch—they may just be hampered by other external issues. This leaves many still open and vulnerable,” she said.
So far, CHS has kept mum about a possible Heartbleed connection to its breach, although it did mention in its SEC filing the hack stemmed from an “Advanced Persistent Threat group originating from China” and they used “highly sophisticated malware and technology.”
Kennedy insists it was Heartbleed, adding, “I think this is the first of many we're going to see in the next few years or so.” The problem for many healthcare organizations is, “they don't know they've been attacked,” he warned.
Follow Joseph Conn on Twitter: @MHJConn