What the Community Health Systems breach can teach your organization

Inside the CHS breach

Security and compliance are complementary but not identical objectives.

The initial reports of the breach that came from CHS executives contained little information about the methods employed by the attackers. The Data Breach Notice CHS issued on Aug. 19, 2014, stated that it believed the attack against the organization's subsidiary, Community Health Systems Professional Services Corporation (CHSPSC), was of foreign origin:

"CHSPSC believes the attacker was an 'Advanced Persistent Threat' group originating from China, which used highly sophisticated malware technology to attack CHSPSC's systems. The intruder was able to bypass the company's security measures and successfully copy and transfer some data existing on CHSPSC's systems."

The generic statements made about the attack's origin and techniques is typical of corporate press releases and doesn't provide much information to security professionals seeking to learn from the breach. Later that day, however, security consultancy TrustedSec released a report based on confidential sources that stated the attack leveraged the Heartbleed vulnerability to gain credentials to a Juniper Networks device. Attackers used these credentials to access the CHSPSC virtual private network (VPN) and, from that entry point, gained access to a database containing personal information on patients.

Lessons learned

Was the CHS breach a HIPAA violation? That remains to be seen. The language in CHS' press releases carefully stated that no "medical or clinical" information was stolen. The plaintiffs in a class action lawsuit against CHS clearly disagree, alleging the company did indeed violate HIPAA. While the courts will need to decide this question, security and compliance managers should study this breach carefully and take away a few lessons to improve their own compliance programs.

First and foremost, patching systems with known vulnerabilities is absolutely critical and should be high on the priority list of any security group, particularly those that deal with highly sensitive information, such as patient records. Juniper released patches for the highly publicized Heartbleed vulnerability within days of its discovery. Media coverage prompted security professionals around the world to scramble to quickly apply patches before attackers struck. While HIPAA does not set out a specific patch timeliness requirement for covered entities, most security professionals would agree that CHS was not acting in a sufficiently prompt manner if it failed to apply the Juniper patches (CHS has not commented on whether its systems were patched or not during the time of the intrusions). This underscores the importance of implementing a consistent patch management strategy across systems and locations.

Second, the rise of the Internet of Things is making both securing systems and complying with HIPAA's security rule more complex tasks. The modern hospital contains an increasing number of networked devices, ranging from medication infusion pumps to in-room entertainment systems. Security professionals must ensure that networks throughout the hospital properly segment sensitive and non-sensitive traffic. Each device connected to the network must also be seen as a potential entry point for an attacker and run a supported operating system that is patched regularly when security vulnerabilities arise.

Finally, security and compliance teams must work together to build and maintain a robust information security program. Security and compliance are complementary, but not identical objectives. While compliance professionals may be focused on box-checking activities designed to demonstrate adherence to HIPAA for auditors, security professionals must ensure that common sense prevails and compliance activities bolster security efforts. In cases where the two seem to conflict, security should prevail. Leaders should foster a sense of cooperation between these groups by facilitating regular conversations that help strike a balance between business needs and security and compliance requirements.

Conclusion

The CHS breach is an unfortunate example of the type of event that can occur when devices and infrastructure are hit with critical security vulnerabilities. Healthcare organizations around the world should take note of this attack and ensure that their own patch management programs provide an adequate level of protection, paying particular attention to the prompt application of critical security patches to Internet-exposed devices.

About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as a site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.