The data included names, addresses, birthdates, telephone numbers and Social Security numbers—all of which are protected under the Health Insurance Portability and Accountability Act—and are valuable to identity thieves. The CHS data breach, if posted to the “wall of shame” website where major healthcare-record breaches are kept on public display by the Office for Civil Rights at HHS, will be larger than all but one of the 1,083 breaches posted until now, and larger than all 76 incidents attributed to hacking.
CHS said it is working with Mandiant, an information security company, to investigate the breach and help prevent future attacks. The health system has removed the malware from its network and finalized remediation efforts. Federal law enforcement agents also are investigating the incident, which CHS discovered last month and which it believes occurred in April and June. The chain notified affected patients and is offering them identity theft protection services. CHS said it carries cyber and privacy liability insurance for this purpose.
An Ohio security firm, TrustedSec, claimed the breach was carried out using the notorious Heartbleed Internet security vulnerability disclosed in April, which afflicted open-source encryption software. But the Heartbleed vector was not confirmed by CHS or Mandiant.
Hospitals have faced a spike this year in hacking activity, said Michael McMillan, CEO of security consulting firm CynergisTek. Such activity hasn't been publicly disclosed because the hacks were stopped before data were compromised, he said. “I know at least a half a dozen or so hacks against hospitals we work with where the data wasn't transferred, but it still caused a lot of disruption,” he said. Hospitals are “going to become a bigger and bigger target as the hacking community figures out it's easier to hack a hospital than it is to hack a bank and you get the same information.”
The CHS attack may be a harbinger of healthcare industry hacks, experts said. “This appears to be a crime of opportunity in which attackers penetrate a system for one type of information, such as IP, but in the process find they also have access to highly marketable (personally identifiable information),” said Stephen Cobb, a senior researcher with IT security firm ESET North America.
“That's the worst hack I've ever heard about,” said Pam Dixon, executive director of the World Privacy Forum, a not-for-profit advocacy group. “They can create new credit cards with these identities and won't get dinged, and they can go commit crimes with those identities.”
McMillan said an advanced persistent threat, as cited by CHS, “is a particular malware that never seems to go away… Depending on who released it and whatever its payload might be, it's looking for vulnerable systems.”
The awareness level of cybercrime—already high among healthcare security leaders—jumped last week with news of the CHS breach, said Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society. It has “gotten everyone's attention,” she said.
Still, a HIMSS survey released in February found that half of the 283 health IT and security professionals in hospitals and physician practices who responded to the survey reported their organizations spent 3% or less of their overall IT budgets on security. That's up slightly from previous surveys. But that's one-half to one-fourth as much as is spent by other industries where data security is critical, McMillan said.