Healthcare Technology Featured Article

August 21, 2014

Chinese Hackers use Heartbleed Vulnerability to Breach Community Health Systems

When the Heartbleed bug was announced in April of this year the potential of the OpenSSL vulnerability had many people worried, and rightfully so, because websites secured with the software were susceptible to hacking. A week after it was made public, Chinese hackers exploited that vulnerability, breached Community Health Systems Inc. and stole Social Security numbers, names, addresses and other personal data belonging to 4.5 million customers of the second-largest for-profit chain of hospitals in the U.S., which has 206 hospitals in 29 states.

As soon as the Heartbleed bug was discovered, the OpenSSL Project released a fix quickly and websites began to implement the new patches for the software. Organizations that followed the protocol were able to protect their websites and the information of their customers.

A report from International Business Times said the hackers were able to steal the information from the memory of a hospital device that was manufactured by Juniper Networks, which they then used to login through a virtual private network (VPN) allowing them to extend the access into the company's network. The attack apparently took place in April and June according to a U.S. regulatory filing Community Health Systems made on August 18.

According to Bloomberg, the Chinese embassy spokesman in Washington, Geng Shuang, told them in an Aug. 18 email it wasn’t aware of the attack and said, "Chinese laws prohibit cybercrimes of all forms and Chinese government has done whatever it can to combat such activities. Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue."

Security experts believe this attack was perpetrated by a group that has a history of stealing intellectual property from healthcare companies, and the theft of personal data is an unusual turn. Community Health said the data that was stolen did not include medical or clinical information, credit card numbers, or any intellectual property such as data on medical device development.

This contradicts previous methods of operation of this group of Chinese hackers, which are known for pursuing intellectual property or information that could provide leverage during a business or political negotiation. No matter who was responsible, the fact of the matter is companies are spending a higher percentage of their budget to fend of these attackers.

The Ponemon Institute's 2014 Cost of Data Breach: Global Analysis report reveals the average cost to a company for a data breach increased by 15 percent over last year and it now stands at $3.5 million. Companies are reluctant to spend the amount it takes to protect their assets adequately, but not doing so will result in bigger financial impact with the loss of trust and confidence customers have in the organization. 

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]