Published On: Thu, Aug 21st, 2014

US Hospital Hack ‘Exploited Heartbleed Flaw’

The theft of personal data belonging to about 4.5 million healthcare patients earlier this year was made possible because of the Heartbleed bug, according to a leading security expert.

US hospital hack 'exploited Heartbleed flaw'

Community Health Systems – the US’s second largest profit-making hospital chain – announced on Monday that its systems had been breached.

The head of TrustedSec – a cybersecurity firm – now alleges that the encryption flaw was exploited.

CHS has yet to respond to the claim.

The Heartbleed bug made headlines in April when Google and Codenomicon – a Finnish security company – revealed a problem with OpenSSL, a cryptographic library used to digitally scramble sensitive data.OpenSSL is used by computer operating systems, email, instant messaging apps and other software products to protect sensitive data – users see a padlock icon in their web browser if it is active.

A fix was made available at the time, and software-makers that used OpenSSL in their products were urged to employ it.

If confirmed, this is the biggest identified breach relating to the bug.

Until now attacks on the UK’s parenting social network Mumsnet and the Canadian tax authority were the biggest known Heartbleed-related intrusions.

Other examples may have gone undetected since hackers can exploit the problem without leaving a trace of their activity.

Patching Heartbleed

David Kennedy, chief executive of TrustSec, told the Bloomberg news agency that three people close to the CHS investigation had notified him that Heartbleed had been pinpointed as the vulnerability used to steal names, phone numbers, addresses, and social security numbers from the hospital group’s systems.

He explained the hackers took advantage of the fact that Franklin, Tennessee-based CHS, used products made by Juniper, a firm that makes hardware and software to manage computer networks.

Like many of its competitors, it took Juniper several weeks to patch all its affected code after the Heartbleed alert was issued.

“The time between zero-day (the day Heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organisation where monitoring and detection become essential elements of [an] IT security programme,” wrote Mr Kennedy on his company’s blog.

“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.

A fix was made available at the time, and software-makers that used OpenSSL in their products were urged to employ it.

If confirmed, this is the biggest identified breach relating to the bug.

Until now attacks on the UK’s parenting social network Mumsnet and the Canadian tax authority were the biggest known Heartbleed-related intrusions.

Other examples may have gone undetected since hackers can exploit the problem without leaving a trace of their activity.

Patching Heartbleed

David Kennedy, chief executive of TrustSec, told the Tech news agency that three people close to the CHS investigation had notified him that Heartbleed had been pinpointed as the vulnerability used to steal names, phone numbers, addresses, and social security numbers from the hospital group’s systems.

He explained the hackers took advantage of the fact that Franklin, Tennessee-based CHS, used products made by Juniper, a firm that makes hardware and software to manage computer networks.

Like many of its competitors, it took Juniper several weeks to patch all its affected code after the Heartbleed alert was issued.

“The time between zero-day (the day Heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organisation where monitoring and detection become essential elements of [an] IT security programme,” wrote Mr Kennedy on his company’s blog.

“What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.

CHS has indicated that the attacks originated from China and had resulted in the perpetrators obtaining log-in credentials belonging to its employees.

These were then used to steal records, it believes, in April and June this year.

The firm, which runs 206 hospitals in 29 states, is now in the process of notifying affected patients.

CHS has stressed that it believes no medical records or financial information have been transferred as result of the intrusion.