3
Huge CHS data hack puts hospitals on high alert Author: Conn, Joseph ProQuest document link Abstract: An outside group of hackers targeted Franklin, Tenn.-based Community Health Systems's computer network and stole nonmedical data on 4.5 million patients, the company disclosed last week in a regulatory filing. CHS, which has 206 hospitals in 29 states, said in the filing that a group originating in China used sophisticated malware and technology in the criminal attack and represents an advanced persistent threat. It said these hackers typically search for intellectual property on medical devices and other equipment, but instead stole personal data on patients who had sought care from its physician practices. CHS said it is working with Mandiant, an information security company, to investigate the breach and help prevent future attacks. The health system has removed the malware from its network and finalized remediation efforts. Hospitals have faced a spike this year in hacking activity, said Michael McMillan, CEO of security consulting firm CynergisTek. The CHS attack may be a harbinger of healthcare industry hacks, experts said. Full text: The lesson for healthcare executives from the news last week that Community Health Systems suffered the worst electronic records hack in healthcare privacy history is that constant vigilance--and lots more money--are needed to keep the same type of catastrophic breach from happening to their organizations. An outside group of hackers targeted the Franklin, Tenn.-based hospital chain's computer network and stole nonmedical data on 4.5 million patients, the company disclosed last week in a regulatory filing. CHS, which has 206 hospitals in 29 states, said in the filing that a group originating in China used sophisticated malware and technology in the criminal attack and represents an "advanced persistent threat." It said these hackers typically search for intellectual property on medical devices and other equipment, but instead stole personal data on patients who had sought care from its physician practices.

Huge CHS Data Hack Puts Hospitals on High Alert

  • Upload
    sucimy

  • View
    3

  • Download
    1

Embed Size (px)

DESCRIPTION

ttttt

Citation preview

Huge CHS data hack puts hospitals on high alertAuthor: Conn, JosephProQuest document linkAbstract: An outside group of hackers targeted Franklin, Tenn.-based Community Health Systems's computer network and stole nonmedical data on 4.5 million patients, the company disclosed last week in a regulatory filing. CHS, which has 206 hospitals in 29 states, said in the filing that a group originating in China used sophisticated malware and technology in the criminal attack and represents an advanced persistent threat. It said these hackers typically search for intellectual property on medical devices and other equipment, but instead stole personal data on patients who had sought care from its physician practices. CHS said it is working with Mandiant, an information security company, to investigate the breach and help prevent future attacks. The health system has removed the malware from its network and finalized remediation efforts. Hospitals have faced a spike this year in hacking activity, said Michael McMillan, CEO of security consulting firm CynergisTek. The CHS attack may be a harbinger of healthcare industry hacks, experts said.Full text: The lesson for healthcare executives from the news last week that Community Health Systems suffered the worst electronic records hack in healthcare privacy history is that constant vigilance--and lots more money--are needed to keep the same type of catastrophic breach from happening to their organizations. An outside group of hackers targeted the Franklin, Tenn.-based hospital chain's computer network and stole nonmedical data on 4.5 million patients, the company disclosed last week in a regulatory filing. CHS, which has 206 hospitals in 29 states, said in the filing that a group originating in China used sophisticated malware and technology in the criminal attack and represents an "advanced persistent threat." It said these hackers typically search for intellectual property on medical devices and other equipment, but instead stole personal data on patients who had sought care from its physician practices. The data included names, addresses, birthdates, telephone numbers and Social Security numbers--all of which are protected under the Health Insurance Portability and Accountability Act--and are valuable to identity thieves. The CHS data breach, if posted to the "wall of shame" website where major healthcare-record breaches are kept on public display by the Office for Civil Rights at HHS, will be larger than all but one of the 1,083 breaches posted until now, and larger than all 76 incidents attributed to hacking. CHS said it is working with Mandiant, an information security company, to investigate the breach and help prevent future attacks. The health system has removed the malware from its network and finalized remediation efforts. Federal law enforcement agents also are investigating the incident, which CHS discovered last month and which it believes occurred in April and June. The chain notified affected patients and is offering them identity theft protection services. CHS said it carries cyber and privacy liability insurance for this purpose. An Ohio security firm, TrustedSec, claimed the breach was carried out using the notorious Heartbleed Internet security vulnerability disclosed in April, which afflicted open-source encryption software. But the Heartbleed vector was not confirmed by CHS or Mandiant. Hospitals have faced a spike this year in hacking activity, said Michael McMillan, CEO of security consulting firm CynergisTek. Such activity hasn't been publicly disclosed because the hacks were stopped before data were compromised, he said. "I know at least a half a dozen or so hacks against hospitals we work with where the data wasn't transferred, but it still caused a lot of disruption," he said. Hospitals are "going to become a bigger and bigger target as the hacking community figures out it's easier to hack a hospital than it is to hack a bank and you get the same information." The CHS attack may be a harbinger of healthcare industry hacks, experts said. "This appears to be a crime of opportunity in which attackers penetrate a system for one type of information, such as IP, but in the process find they also have access to highly marketable (personally identifiable information)," said Stephen Cobb, a senior researcher with IT security firm ESET North America. "That's the worst hack I've ever heard about," said Pam Dixon, executive director of the World Privacy Forum, a not-for-profit advocacy group. "They can create new credit cards with these identities and won't get dinged, and they can go commit crimes with those identities." McMillan said an advanced persistent threat, as cited by CHS, "is a particular malware that never seems to go away... Depending on who released it and whatever its payload might be, it's looking for vulnerable systems." The awareness level of cybercrime--already high among healthcare security leaders--jumped last week with news of the CHS breach, said Lee Kim, director of privacy and security for the Healthcare Information and Management Systems Society. It has "gotten everyone's attention," she said. Still, a HIMSS survey released in February found that half of the 283 health IT and security professionals in hospitals and physician practices who responded to the survey reported their organizations spent 3% or less of their overall IT budgets on security. That's up slightly from previous surveys. But that's one-half to one-fourth as much as is spent by other industries where data security is critical, McMillan said. Healthcare leaders need to make larger investments in resources and personnel, focus on the most immediate security threats and identify where they need to outsource security work, he argued. And it's critical for organizations to educate their workforce. "If you look at most of the hacks we're having in the industry today, it's because someone in the workforce made a mistake, opened an e-mail and responded to a phishing exploit." --Beth Kutscher contributed to this article. MH TAKEAWAYS The CHS attack may be a harbinger of healthcare hacks in which attackers penetrate a system looking for one type of information, such as intellectual property, but in the process find valuable personal data that can be sold on the black market.


Opening Talk, Why We Hack \ AnalogFolk Hack Festival

Opening Talk, Why We Hack \ AnalogFolk Hack Festival

Technology
CHS Brochure

CHS Brochure

Education
 · TSANG PAK Kl Chinese Sex X2 CHS ECO ECO GEO ECO CHM GEO CHS GEO GEO GEO ECO ECO CHM CHS ECO GEO CHS CHM CHM CHS ECO CHM GEO CHS ICT ECO Other X3 . TENTATIVE This is only a tentative

 · TSANG PAK Kl Chinese Sex X2 CHS ECO ECO GEO ECO CHM GEO CHS GEO GEO GEO ECO ECO CHM CHS ECO GEO CHS CHM CHM CHS ECO CHM GEO CHS ICT ECO Other X3 . TENTATIVE This is only a tentative

Documents
Introduction to Optical Properties BW, Chs 10 & 11; YC, Chs 6-8; S, Chs 11-13

Introduction to Optical Properties BW, Chs 10 & 11; YC, Chs 6-8; S, Chs 11-13

Documents
Hack the hack

Hack the hack

Software
Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

Quick Step Broken AMN Hack Wlan Hack Website Hack Admin Index

Documents
What the hack - Yahoo! Hack India Hyderabad 2013

What the hack - Yahoo! Hack India Hyderabad 2013

Technology
How to Hack a twitter account - Twitter Hack

How to Hack a twitter account - Twitter Hack

Internet
Media Hack Day 2014 — News Sightseeing Hack

Media Hack Day 2014 — News Sightseeing Hack

Technology
CN14-14 CHS/Community Health Systems purchase of … · CHS is a for-profit parent corporation of CHS/Community Health Systems. Neither CHS nor CHS/Community Health Systems are incorporated

CN14-14 CHS/Community Health Systems purchase of … · CHS is a for-profit parent corporation of CHS/Community Health Systems. Neither CHS nor CHS/Community Health Systems are incorporated

Documents
Chs Module2

Chs Module2

Documents
B338zh Chs

B338zh Chs

Documents
20140710semicon chs

20140710semicon chs

Documents
Store & Retrieve Data Anywhere | Amazon Simple …CHS-85 19 3/4 14 1/2 33 3/8 16 7/8 3 5/8 CHS-110 CHS-155 19 3/4 18 1/2 33 3/8 16 3/4 3 CHS-175 CHS-200 CHS-250 CHS-300 25 20 36 3/8

Store & Retrieve Data Anywhere | Amazon Simple …CHS-85 19 3/4 14 1/2 33 3/8 16 7/8 3 5/8 CHS-110 CHS-155 19 3/4 18 1/2 33 3/8 16 3/4 3 CHS-175 CHS-200 CHS-250 CHS-300 25 20 36 3/8

Documents
Fundrs.org chs

Fundrs.org chs

Business
CHS Winter 2020 Newsletter - CHS GROUP, LLC › uploads › 3 › 1 › 9 › 5 › 31955679 › newsletter… · CHS Winter 2020 Newsletter New Skills Sensory South County CHS is

CHS Winter 2020 Newsletter - CHS GROUP, LLC › uploads › 3 › 1 › 9 › 5 › 31955679 › newsletter… · CHS Winter 2020 Newsletter New Skills Sensory South County CHS is

Documents
Hack the hack vivatech

Hack the hack vivatech

Technology
Hack Day Tweet about Hack Day today! _technovation_

Hack Day Tweet about Hack Day today! _technovation_

Documents
Got Citrix? Hack IT!Got Citrix? Hack IT! · Got Citrix? Hack IT!Got Citrix? Hack IT! Shanit Gupta August 7th, 2008

Got Citrix? Hack IT!Got Citrix? Hack IT! · Got Citrix? Hack IT!Got Citrix? Hack IT! Shanit Gupta August 7th, 2008

Documents
CHS NEWSLETTER

CHS NEWSLETTER

Documents
HL GENERAL 2018 · 2019-12-13 · Hack 1: Be Present and Engaged Hack 2: Create C.U.L.T.U.R.E. Hack 3: Build Relationships Hack 4: Flatten the Walls of Your School Hack 5: Broadcast

HL GENERAL 2018 · 2019-12-13 · Hack 1: Be Present and Engaged Hack 2: Create C.U.L.T.U.R.E. Hack 3: Build Relationships Hack 4: Flatten the Walls of Your School Hack 5: Broadcast

Documents
chs.uonbi.ac.kechs.uonbi.ac.ke/sites/default/files/chs/chs/CHS EDITED... · Web viewCHESS COMPETITION FOR CHS PLAYERS FROM ALL THE SCHOOLS CHESS NAME SCHOOL POINTS PLACEMENT/MEDALS

chs.uonbi.ac.kechs.uonbi.ac.ke/sites/default/files/chs/chs/CHS EDITED... · Web viewCHESS COMPETITION FOR CHS PLAYERS FROM ALL THE SCHOOLS CHESS NAME SCHOOL POINTS PLACEMENT/MEDALS

Documents
Chs practicum

Chs practicum

Education
Abacus Hack Day Singapore - Winning hack

Abacus Hack Day Singapore - Winning hack

Technology
Hack Humanity - Hack The Workplace - Heroification & Gamification

Hack Humanity - Hack The Workplace - Heroification & Gamification

Education
Hack Clubs Hack Night: the "Things" edition

Hack Clubs Hack Night: the "Things" edition

Technology
CHS Reunion

CHS Reunion

Documents
Maintain CHS

Maintain CHS

Documents
CHS ALUMNI ASSOCIATION FALL 2013 Issue. 07 NEWSLETTERs504522713.onlinehome.us/.../2013_Issue_7_Fall_CHSAlumniNewsletter.pdf · FALL 2013 CHS ALUMNI ASSOCIATION NEWSLETTER CHS ALUMNI

CHS ALUMNI ASSOCIATION FALL 2013 Issue. 07 NEWSLETTERs504522713.onlinehome.us/.../2013_Issue_7_Fall_CHSAlumniNewsletter.pdf · FALL 2013 CHS ALUMNI ASSOCIATION NEWSLETTER CHS ALUMNI

Documents
Developing a Common Data Model ... - CHS-NHLBI | chs-nhlbi

Developing a Common Data Model ... - CHS-NHLBI | chs-nhlbi

Documents