It has recently come to light that the Tennessee-based Community Health Systems (CHS) Inc. – which runs 206 hospitals across 29 states – has suffered a cybersecurity breach sometime between April and June 2014, resulting in the theft of 4.5 million patients’ names, birthdates, Social Security numbers, and telephone numbers, essentially enough information to commit identity theft. Security experts, who eventually attributed the data leak to vulnerabilities related to the Heartbleed bug, continue to clamor that the healthcare industry is not doing enough to protect its assets and that the bug is not exclusive to web servers; medical devices are also at risk.
A post-breach investigation revealed that the attack originated from an “advanced persistent threat” group based outside the US.
How did the attack occur? Anonymous sources close to the CHS investigation have reportedly informed the security firm TrustedSec that the hackers gained access to the network by exploiting a device manufactured by Juniper Networks Inc. that had not yet been updated to patch the Heartbleed loophole. Once access to CHS’ network was granted, malware was installed to gather user credentials stored on the memory of the Juniper device and login into the VPN.
Mike Ahmadi, global director of Codenomicon, the cybersecurity firm that first spotted the Heartbleed bug, claims that while the initial outcry sparked a strong response, companies became complacent after realizing they hadn’t yet been hacked. In fact, it’s estimated that 70% of systems and devices vulnerable to the bug continue to remain vulnerable, CHS was no exception.
“Time tends to falsely convince decision makers that if they have not yet been compromised, they are probably okay, and do not need to invest resources on fixing the problem anymore…even though the exact opposite is true,” adds Ahmadi. “As much as everyone seems to love using risk management to make decisions, the truth is that people are just not very good at quantifying cybersecurity risks.”
At this point in time, CHS is confident that all traces of the malware have been removed and the necessary precautions to prevent similar breaches in the future have been adopted. Additionally, all the affected parties have been notified and are being offered identity theft protection services.
Nonetheless, one of the primary misunderstandings of the Heartbleed bug in the healthcare sector is that only websites and web servers are affected, when in truth, anything with an unpatched version of OpenSSL/TLS installed on it is susceptible, including medical devices, medical systems, MRI machines, and any handheld device latched on to the healthcare network. The issues stemming from medical device security are further compounded when taking in account that medical devices cannot be patched as easily as servers because they must work at all times to take care of patients.
The entire CHS fiasco could have been avoided had controls pre-emptively been in place. When something of the magnitude of Heartbleed occurs, it’s advisable that anything running a communication stack be verified in order to address the security concern as soon as possible. The bug had been discovered in early April, yet CHS’ data was stolen over the course of the three months since then.
However, it’s worth pointing out that gaining access through the Heartbleed bug does not necessarily compromise every ounce of data. This factor depends entirely on whether or not the data was encrypted during its point of measurement, or when it was first obtained from the medical device. If the data is encrypted at this stage, and then transmitted into/out of the cloud, hackers will not be able to read it even if they gained access to it through Heartbleed or other exploits.
Secure microcontrollers that have encryption capabilities are able to provide patient data confidentially, encrypting data directly from the source to protect patient and/or financial data through the entire enterprise. Maxim Integrated’s line of medical microcontroller and secure microcontrollers, including its WASP/MAX32600 low-power microcontroller, protect data assets amidst breaches. If there’s one that the Heartbleed bug and subsequent Shellshock bug have demonstrated it’s that breaches are inevitable. The best thing that design engineers can do is minimize vulnerabilities and encrypt data. Visit Maxim Integrated’s secure microcontroller page to discover the most appropriate solution.
Learn more about Maxim Integrated