Arraya Insights | September 4, 2014
It’s every IT decision-maker’s worst nightmare: Thinking a system is sealed up tight, only to have a hacker find a backdoor no one even knew existed. For one healthcare provider, that bad dream became a reality.
Community Health Systems, Inc. (CHS) has admitted it was the victim of a devastating security breach which took place this past April and June. All told, hackers may have made off with the personal information of a staggering 4.5 million patients.
During the attack, which originated in China, hackers nabbed patient names, addresses, birthdates, telephone numbers and social security numbers. If there’s a silver lining to be found, it’s that hackers weren’t able to get their hands on patient credit card details or any medical or clinical information.
Even though the stolen info wasn’t related to medical records, it still falls under the dominion of HIPAA, which could prove very costly for CHS. One estimate by Forbes.com has CHS paying in the neighborhood of $75-150 million to make things right. That figure includes remediation, legal fees, potential HIPAA fines, the cost of providing identity theft protection to affected patients, etc.
How did hackers manage to get into CHS’ systems in the first place? One word: Heartbleed.
The now-infamous vulnerability in the OpenSSL cryptographic software library is thought to have been behind the breach, according to David Kennedy, CEO of information security consulting service provider TrustedSec.
Kennedy’s theory on how the attack went down goes like this:
- Hackers acquired user credentials by exploiting CHS’ networking equipment through the Heartbleed vulnerability
- They used those credentials to log-in to CHS’ network through its VPN
- Once they were in, hackers weaseled their way through the system, before eventually tracking down the patient files.
Heartbleed only came to light in early spring, so considering the dates of the attack on CHS, it seems like hackers didn’t waste much time trying it out. Unfortunately for CHS, that meant it had next-to-no time to prepare its defenses.
But by now most organizations are ready to face Heartbleed head on, right? Not exactly. Research by security firm Venafi showed a staggering 97% of organizations on the Global 2000 List were still at least partially vulnerable to Heartbleed – and potentially a security breach of their own.
And for healthcare providers, the raid on CHS could just be the tip of the iceberg.
The FBI recently warned it’s noticed more malicious activity centering on the healthcare industry in recent weeks. Targeted data included patients’ protected healthcare information and/or personally identifiable information, in addition to organizations’ own intellectual property.
Despite all of the time and energy IT decision-makers in the healthcare field have put into securing themselves against these types of breaches, the FBI has said it might not be enough.
Back in April, the Bureau assessed the healthcare industry’s defenses as lacking, at least when compared to sectors such as financial and retail. As a result, the industry could still make for a more attractive target for cybercriminals.
So what can healthcare providers do to frustrate hackers and keep a tight lid on patient info?
Tops on that list should be strengthening perimeter security to keep hackers as far away from sensitive info as possible. One way to do that? Consider adopting one of the wide range of firewalls and VPN and Endpoint Security clients offered by Cisco.
However, investing in top of the line security solutions alone might not be enough to keep hackers out. Even best of breed solutions can still fall victim to vulnerabilities such as Heartbleed. In order for IT pros to rest assured their organizations’ networks are safe, they must have access to regular server, core network, and perimeter patching. Staying on top of those system updates and changes can be tricky, but that’s where Arraya Solutions’ Manage 365+ can help.
Manage 365+ uses a change management platform to manage and approve service requests, as scheduled maintenance and security updates.
A managed infrastructure solution like Manage 365+ also monitors an organization’s devices for availability, health and performance 24/7, so IT pros will always know where things stand with their technology.
Awareness is also an important part of the security puzzle. Even with enhanced perimeter security, up-to-date hardware and software and enterprise monitoring, business disruptions can still happen. When they do, response time is paramount. Manage 365+ simplifies the process of handling issues from the initial alert that something might be wrong, through the diagnosis of the problem and even down to the resolution.
In case hackers do manage to breach those outer walls and find a way into an organization’s system, strong data encryption is an absolute must. That way even if cyber crooks can swipe patient info, like they did in CHS’ case, they won’t be able to extract any value from it.
That kind of robust data encryption is just one part of Protect 365+, a fast and reliable cloud-based backup option from Arraya Solutions.
Protect 365+ features single step recovery, so files and directories can be restored with just the click of a mouse. It also offers deduplicated data transfer which can make the process of backing up and securing critical files up to 10x faster.
This solution uses 256-bit Advanced Encryption Standard (AES) algorithm for all network communication, which means backup and restore traffic is SSL encrypted. Protect 365+ also supports the Federal Information Processing Standard (FIPS) publication 140-2 for client/server encryption and is fully compliant with the Department of Defense’s data shredding standard, 5220.22-M.
Heavy fines can be only the beginning of the fallout from a data breach in healthcare. There’s also the risk of losing the trust and confidence of patients. In order to avoid all of that, it’s best to have a diverse, proven approach to security like the plans offered by Arraya.
To get started or for more info on these services and the other ways in which Arraya Solutions can help keep data secure and boost efficiency, visit go.arrayasolutions.com/healthcare and be sure to register for our upcoming event, Stories of Success: How IT Decision-makers are Changing the Game in Healthcare, which will take place at Ruth’s Chris Steakhouse in King of Prussia, PA at 4 p.m. on Wednesday, September 24th.