Slashdot Mirror
Hackers Steal Data Of 4.5 Million US Hospital Patients
itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.
Am looking forward to the UKs NHS databases going live. We are every bit as inept as our American neighbours.
"The stolen data did not include patient credit card, medical, or clinical information."
That seems to be a rather dubious claim.
Get up!
What were such systems doing connected to the public internet?
You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).
Installed by unsophisticated users?
'Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems.'
..
That would be a msOffice document sent as an email attachment
I sure hope the hackers comply with HIPAA. They sure will be in a lot of trouble if they don't.
Well, your DIY lobotomy didn't turn out so well.
Table-ized A.I.
"They used sophisticated malware!"
What a joke. And let me guess, they're offering free credit monitoring for up to a year! It's completely inexcusable that they waited over a month to report this. I hate to see the feds get involved in anything, but this is getting ridiculous. These incidents should result in fines in the tens of millions, minimum. Then they'd take security seriously. Most serious security efforts aren't even all that expensive. It's getting all the people and systems in compliance that's the issue.
We have had a huge amount of government regulation in place for years. This must be lies or a simple misunderstanding.
Scuse me, I think I dropped my sarcasm tag.
The resulting lawsuit paid out great! Good bliss 'merica!
The hospital still has the records right? There is no missing property, right?
with the story about 'doctor visits' over Skype, and how many posters were railing against how they were afraid of eavesdropping/decrypting of their Skype conversations. Where are they now! :D
You should have seen him before the lobotomy.
Faster! Faster! Faster would be better!
This isn't a problem specific to the medical arena, but a larger problem nobody wants to face up to.
We need to change the way we design and implement software and technology in general. It is utterly ridicules that the same systems we're using to play games on are utilized for storing sensitive information. While it make sense that much of the code can be used in both places it doesn't mean it always should be particularly when it wasn't intended for highly secure environments.
Certainly there should be multiple experts designing systems, reviewing code, and prioritizing security above all else with regular third party audits along the way. This includes at the hardware level. There is no good reason we shouldn't design and manufacture some hardware within the United States utilizing people with security clearances. Nor is there an excuse for not having designed secure interfaces (ie USB sucks from a security perspective- at least that is you can't trust random hardware). There is no good reason every device should be dependent on proprietary firmware. Any firmware that exists should be open, audited, and written from the ground up with security in mind. The BIOS and other components should be no exception. Every piece of firmware should have write-protection too. There shouldn't ever be a place where malicious software can hide in the event that the OS needs to be wiped clean (due to potential security threats).
USB devices are a security risk period. Any device which a facility connects should come with a chain of evidence from the manufacturing plant to the warehouse to the medical facility itself. Anything short of this is negligence when you have so much data in one place and readily accessible.
You can't allow users to connect ANY USB device themselves (like a USB flash drive). Such devices can be manipulated and are by there very nature are untrustworthy.
Their ISP would be more than happy to set up each hospital and office building with a "dedicated virtual circuit", which is basically a VPN handled and enforced by the ISP using their carrier-grade equipment. The ISP will ensure that the black network can't access the internet (and the internet can't access the black network). One thing ISPs can do pretty well is take AWAY your internet access. All systems with confidential data are connected only to tge bkack network, which interconnects the various locations.
You do NOT need each workstation to have general internet access in order to connect them to your (virtual) WAN.
Additionally, the various workstations shouldn't have access to social security numbers anyway, even via the local network. Unless you're the social security administration or the IRS, you probably shouldn't be storing social security numbers. If some specific legacy system really has to have social security numbers, isolate that system behind a one-way trapdoor. It shouldn't have general internet accessibility.
"..ICE patterns formed and reformed on the screen as he probed for gaps, skirted the most obvious traps, and mapped the route he'd take through Sense/Net's ICE. It was good ICE. Wonderful ICE... ...His program had reached the fifth gate. He watched as his icebreaker strobed and shifted in front of him, only faintly aware of his hands playing across the deck, making minor adjustments. Translucent planes of color shuffled like a trick deck. Take a card, he thought, any card.
The gate blurred past. He laughed. The Sense/Net ice had accepted his entry as a routine transfer from the consortium's Los Angeles complex. He was inside. Behind him, viral subprograms peeled off, meshing with the gate's code fabric, ready to deflect the real Los Angeles data when it arrived."
William Gibson
Faster! Faster! Faster would be better!
Ha ha ha, I haven't been to the doctor in over 5 years. Joke's on you, bitches. Technically I worked at a hospital though.
Incompetent malpracticing assholes.
Umm, so you think that the hospitals IT team is composed of doctors?
Disclosure: I'm a professional Penetration Tester
We find plenty of this sort of setups at our customers. Customers set up VPNs, have a password policy and a virus scanner. They have firewalls and keep user policies restricted. Then we come and we trojan someone, or find a weak WiFi password or whatever we use to get a foothold inside their network all it takes is one little mistake and we're "in". Once we get there, we log keyboards, get password hashes from network or system memory and start to pivot all over the place. Usually, our software will trigger virus alerts, but staff doesn't react to those "in a timely fashion" and we get to keep going even though alarms are going off on several computers. We could cloak our malware and sometimes we do, but usually it's too much trouble and we get domain admin passwords within a few days and rule the network in such a way that admins wouldn't be able to get rid of us if we would rootkit and backdoor properly.
It takes more than some policies and a VPN these days. You need IDS, proper procedures, layered security and skilled, motivated staff that knows how to deal with security incidents. You need properly trained and aware users that aren't afraid to admit they messed up and that have no problem reporting others doing wrong either. Don't trust on a single technical measure, but implement them all and make sure you test and train on a regular basis. Get a data classification policy and protect data according to that policy. That means that stuff like SSNs and anything that can be used for identity theft should get extra layers of protection and alerting implemented. If you don't do all this, a serious intruder will usually get what they want.
I was promised a flying car. Where is my flying car?
Having thought about this issue for a while, my conclusion is that much of these risks could be nearly eliminated if these systems only stored "non-identifiable" information and left the identifiable stuff to paper.
This ought to work pretty well since the times we need to access identifiable information are pretty rare. Everyday medical processes don't need things like your exact date of birth, your SS# or even your address. They need a unique identifier to tie all of your medical records together but that identifying stuff tends to be write-only.
I propose that identifiable information be committed to paper files and then indexed by a "health id" - so that 1 in a 100 time that they need your phone number, they can walk over to the filing cabinet and pull out the piece of paper with your phone number on it.
I'm not saying a "paper firewall" is perfect, it absolutely will be less convenient but not burdensomely so if we design the system intelligently. Meanwhile, what we have now ain't working all that great either -- Stealing a filing cabinet is 1000x harder than copying some data across the net from the other side of the planet.
Before? You mean her.
Table-ized A.I.
They SQL-injected Healthcare.gov and received a dump of everything that hasn't been purged out of the system since the last purge.
Chas - The one, the only.
THANK GOD!!!
http://www.chs.net/careers/job-opportunities/career-opportunities/corporate-office-opportunities/
Wonder how many people where fired over this. Didn't see any manager positions so the peons most likely took the fall instead.
Joe Biden is a square shooter. Joe Biden for 2016.
Here's the list of Community Health Systems locations in case you've been to the hospital recently. Fortunately they don't have any in our area.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
There was no theft. It is not stolen if you still have it.
In 'geek speak':
mv is theft.
cp is not.
You might as well say a photograph steals your soul. :-)
Given that the hospital's information is shared with all sorts of insurers, coding and transcription services, government agencies, services that comb the records looking for more insurance claims or more profitable claims, and so on, I have to say that these guys came really late to the party.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Disclaimer... i worked at CHS for a few years in the engineering department....there was a separate department responsible for security and theoretically they were the ones responsible make making sure that everyone was following proper security standards...
...but the catch, is that they really weren't. The organization regularly used open shares because that's what the "applications" required. One app in particular was called ProMED. during the time I was there, this app was loaded in almost every Emergency Department. The way it worked was that the promed server (a physical windows server housed inside the hospital) had a 100% open share (everyone read/write/modify). the computers around the ER would then be logged into by users and the entire application would copy to the workstations and then write logs and other crap directly back to the open. The actual patient data was written to the server using an app specific user/pass for each user, so the user still had to authenticate to get into promed. To make things even worse, the promed server service accounts used the same password in all of the hospitals and were set to auto-login, because that was the only way that the application would launch. if you RDP'ed into one of the servers as your own account, it would hose that hospital's ER workstations because the application would kill itself and then relaunch using your own credentials........what? further, since they were using open shares (that we in engineering constantly told them were bad), they had problems for YEARS with worms spreading. What were we told when we told them that they couldn't have open shares? that this was the software we were going to use and that there was nothing we could do about the open shares since the vendor wouldn't support their software in any other configuration.
shall we dig deeper? sure!
workers at CHS are so underpaid that it doesn't shock me at all that no one gave a shit. I know that I didn't when I was there. I gave my 40 hours every week and got out. the good ole boy system is alive and well at CHS. there was an official procedure to do everything, which DID entail including someone from the TAVM and security teams to evaluate new hospital apps, but if whoever the app owner was was connected well enough, they could implement whatever they wanted.... a complete end-around of any red-tape.
i haven't heard from any of my friends that still work there, so I don't know which applications were actually hacked. my bet is that the 4.5 million is an overstatement. CHS isn't cohesive enough to have the all same apps deployed in all of their hospitals...most apps only had about 20-25% penetration of their hospiatls. ProMED is the only one that I'm aware of that was actually deployed that widespread. They were also working on using the Cerner suite of apps to replace several of the other apps, like HPF and Meditech...they were actually talking about using it to replace ProMED at one point. I'm unsure of that the newly acquired HMA hospitals were using. Last year, CHS purchased 80 or so hospitals from a company called HMA, based out of florida.
What you say is true, but it's funny in a way that reminds me of something I'd do.
Ac: They shouldn't be connected to the internet.
-> Sarten-X: They need to be connected to the internet in order to be connected to each other.
-> raymorris: They can be connected to each other without being connected to the internet.
-> dutchwhizzman: Paragraphs of unrelated commentary
http://www.chs.net/serving-communities/locations/
Here is a list of all the hospitals that fall under their service.
First, SSNs themselves should not be "stored" in any database. They should be used dynamically for initial patient validation and stored as a salted hash. For that matter, you can do the same with DOB and other key identifiers that are not required for anything but for validation. Use an internal patient number as index for everything else. Second, use MAC (Mandatory Access Controls) for any app or microservice attempting to access specific portions of data. Any unauthorized attempt to access a record should be logged, and if you really want to catch the bad guys, do a transparent session forward to a honeypot with a fake database. Third, use 2 factor authentication for any remote access to the data. Fourth, all internal systems should run virtualized and accessed over VDI, no data on laptops, ever. Is it really that hard?
Our gov't allowed SSNs to be used in all sorts of capacities since, I think the 1980's. I still have my SSN card which says "Not for Identification" - yeah...that old...issued in the 60's. Congress changed the rules and put us all in jeopardy by allowing SSNs to be used as a personal identifier.
How pervasive is it?
Want to write a letter to a military service member? Well, don't forget to add their SSN to the address. The military now uses SSN as the service number...it's in printed on the envelop of every letter to every military member.
Are you a student? It's likely your student identification number.
Shopping at the grocery store? Just you wait for them to ask for it...it's coming.
Hospitals do need the SSN because they become creditors and may need to supply information for disability and death claims. But, why is it needed as a patient identifier? Billing should be separate from patient records.
What we really need is a something like OAutht access to our record (which should be encrypted). Granting access to this data should also require 2 factor authentication at the very least. The encryption keys should be kept in another secure system requiring extreme protocols to obtain a single one.
Who should maintain the patient id and records databases? Who should maintain the keys to access the encrypted data? Not sure. But, whoever figures it out and implements it is going to make a fortune.
It's either insecure systems or human error, or a combination of both that allowed this breach in my opinion. Why oh why most (not all) IT companies use the lowest common denominator or put things in for "ease of use" instead of "security" ? Folks need to start standing up to these sociopaths (the non-technical people in control) and set things up like they should be - SECURE.
They should be using locked down, secure systems (IBM Mainframes with security systems on top?) and two factor authentication. Does it make it a bit harder for the mouth breathers to log in? Perhaps. But I'd take that over these constant breaches we seem to be having. Fine the companies into the ground to the point that they have to go out of business (or have another company perhaps take them over so the actual healthcare WORKERS (not CEOs and other overpaid folks) keep their jobs).
Perhaps I'm rambling a bit but I hope you get my point.
Cheers,
Miser
just another boogie man to add to the list when the current terrorist hysteria doean'st work anymore. We need to lock down the nation so those Chinese hackers can't steal your computer souls. Forget the fact that some idiot let the computers get infected with malware in the first place...
How do you know it was Chinese, just because it came form an IP originating in China?
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Maybe not composed of, but very often run by doctors. "Hey i wrote some perl scripts in college so I know all there is to know about IT" says Mr/Ms CMIO.
China is America's no. 1 enemy.
Economic and military war are on the horizon.
How is it possible for those storing so much private data to have such weak security? Where is the responsibility for protecting this data?
Sadly, we live in a world where privacy and security has been given up by most and those that try to protect their personal data are treated as paranoid. Governments are moving closer to criminalising the use of encryption to protect data because it inconveniences their own spying efforts. Smartphone apps full of adware and spyware have become generally accepted, even though both would have been detected by antivirus software not that long ago. The new generation of IT professionals seem to have been caught up in this relaxed approach to data security.
Cybercrime is a massive growth industry, through selling stolen data, rasomware, identity theft, fraud, etc. The bottom line is that you should not really trust anyone with your personal data.
If only they had used a platform like Storj.io to secure their data using decentralized cloud storage and security. Perhaps in the next coming years people will wake up and pull their head's out of the dirt and realize how decentralized applications will take over the major corporations and put all powers freely into the individuals hands. If you find a way to kill and completely eradicate all ants on the planet then you might be able to figure out a way to get rid of decentralization, like torrents, bitcoin, storj.io, but much like the resilience of ants so to will decentralization of all apps take over the major corporations like Google, Facebook, Amazon, etc. The kingdoms are crumbling down into a better frame of the world :) Be excited for it is almost here... with in months not even years..