On August 18, 2014, Community Health Systems (CHS) reported to the Securities and Exchange Commission (SEC) that they had suffered a major data breach of 4.5 million items of “non-medical patient identification data related to our physician practice” in June. The data did not have any medical or credit card information, but did contain names, social security numbers, addresses, and other information useful for identity theft. Mandiant (an information security investigation firm) believes the people responsible to be an “Advanced Persistent Threat” (APT) group originating from China.
This APT team typically is found looking for intellectual property and was likely looking for information on medical device and equipment development. This group is called an Advanced Persistent Threat team because of the advanced nature of their attacks and the length of time they are able to control a system. They are known to have maintained one compromise for over four years. Mandiant has publicly identified and created detailed reports on the APT groups from China.
Several theories abound on why this team changed from their typical goal of industrial espionage. Some believe the data may have been accidently taken, thinking it was medical device information. Others suspect that members of the APT unit have “gone rogue” and are planning to sell the data for profit. Dell SecureWorks reports cyber criminals are able to sell health insurance credentials for $20 each as compared to getting $1 to $2 for U.S. credit card numbers. Mandiant reported in their 2014 M-Trends report that the Chinese teams had been moving to broader business operations data, not just product plans. This attack may indicate further expansion of that mission.
The big question from healthcare providers is, “How do I protect my data from these teams?” It’s easy to protect against unsophisticated hackers with firewalls and intrusion systems, but these APT teams require more advanced information security practices.
Impact Advisors recommends providers invest in more security intelligence and improved end user training. Monitor your security logs and network endpoints for unusual patterns and respond quickly. These may indicate access by unauthorized or unusual individuals. Next, educate your users on information security practices. Most of these attacks start as email attacks on individuals in the organization.
These APT teams look for one small crack in your security and build on it. Moving from system to system, from unimportant workstations to your main data storage servers, they search for the information that they can use either to gain more access or get the targeted data. You must maintain a careful watch on your information systems for these threats. Follow the motto of the Civil Air Patrol – Semper Vigilans – Always Vigilant.
Infosecurity Magazine , 18 AUG 2014 ,
4.5 Million Records Stolen from Community Health by Chinese Hackers, Tara Seals
InformationWeek – Darkreading, 18 Aug 2014
Community Health Systems Breach Atypical For Chinese Hackers, Sara Peters
SEC Filing from CHS
Yahoo News/Reuters, 24 April 2014
Exclusive: FBI warns healthcare sector vulnerable to cyber attacks, Jim Finkle