Community Health Systems, which runs 206 hospitals in the USA, has disclosed that its IT systems were breached over a three-month period, resulting in hackers gaining unauthorised access to the names, addresses and social security numbers of 4.5 million patients in the US.
Lucas Zaichkowsky, Enterprise Defence Architect at digital forensics and cyber incident response company AccessData, has commented on the potential motivation of the attackers for stealing patient names and addresses, “The hackers could feasibly identify individuals of interest or those who work at organisations of interest and use their personal details to craft convincing spear phishing emails. Another possibility is to simply bolster their overall intelligence by having data rich details on 4.5 million individuals.”
FREE Download: The Security Industry´s Dirty Little Secret
Commenting on the speculation that the CHS hack was carried out by Chinese state actors owing to similarities in the tactics employed as compared to those used in other attacks, Zaichkowsky said, “This is atypical for state-sponsored espionage. One possible motivation might be to gather intelligence on individuals which can be used in future cyber espionage campaigns. Chinese APT attack groups have been known to hoard interesting data while pursuing their intended objectives. It is well known in the intelligence community that healthcare is being heavily targeted by Chinese espionage efforts due to their large, aging population. Healthcare improvement is an objective in their current Five-Year Plan for economic development.”
Zaichkowsky continued, “HIPAA compliance certainly forces organisations to pay more attention to the secure handling of patient data. However, the likelihood of an organisation suffering a data breach is affected more strongly by what the active threat actors are pursuing. If an organisation has data that is sought after by a determined and skilled adversary, they have an extremely high likelihood of being breached, regardless of regulatory compliance requirements. Those organisations need to take security very seriously at the board level and allocate the resources necessary to mature their security operations to deal with real-world threats.”
By Lucas Zaichkowsky, Enterprise Defence Architect, AccessData
About AccessData
AccessData Group makes the world’s most advanced and intuitive incident resolution solutions. AccessData technology delivers real-time insight, analysis, response and resolution of data incidents, including cyber threats, insider threats, mobile and BYOD risk, GRC (Governance Risk & Compliance) and eDiscovery events. Over 130,000 users in corporations, law enforcement, government agencies, and law firms around the world rely on AccessData software to protect them against the risks present in today’s environment of continuous compromise. http://accessdata.com
References:
Computer Weekly, 19th August 2014, “4.5 million patient records exposed in US hospital group hack,” http://www.computerweekly.com/news/2240227011/45-million-patient-records-exposed-in-US-hospital-group-hack?asrc=EM_ERU_32870691&utm_medium=EM&utm_source=ERU&utm_campaign=20140819_ERU%20Transmission%20for%2008/19/2014%20(UserUniverse:%201011042)[email protected]&src=5287808
Wikipedia, “Five year plans of the People’s Republic of China”, http://en.wikipedia.org/wiki/Five-year_plans_of_the_People’s_Republic_of_China#Tenth_Plan_.282001.E2.80.932005.29
Recode, 18th August 2014, “Chinese hackers stole information on 4.5million US hospital patients,” http://recode.net/2014/08/18/chinese-hackers-stole-info-on-4-5-million-u-s-hospital-patients/
USA Today, 18th August 2014 “Community Health Systems hack attacks 4.5million”, http://www.usatoday.com/story/tech/2014/08/18/community-health-systems-hack-attack-45-million/14226421/
Fox Business, 18th August 2014, “China-based hackers steal 4.5million records crom Community Health Systems”,
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.