Image: Fotolia
PREVENTATIVE CARE: Banks have to carefully check all computing devices connected to their networks for vulnerability to Heartbleed and redouble efforts to monitor customer accounts for signs of fraud.

Breach at Hospital Chain Shows Heartbleed's Danger to Banks

Print
Email
Reprints
Comment
Twitter
LinkedIn
Facebook
Google+

Heartbleed has resurfaced, and it's likely to give bankers another case of heartburn.

The high-profile website vulnerability with the cool logo that made headlines this spring has led to a major data breach. Researchers have confirmed that hackers who stole 4.5 million patient records from Community Health Systems of Franklin, Tenn., broke into the company's network through a hole in the network created by Heartbleed.

This matters to banks in two ways: One, the stolen records include everything needed for identity theft customer names, addresses, birth dates, and telephone and Social Security numbers and thus could be used for financial fraud across the country. Two, it illustrates the danger Heartbleed still presents to financial institutions as it lingers unnoticed on network devices in most companies.

The case is a warning sign for banks to carefully check all computing devices connected to their networks for vulnerability to Heartbleed and to renew their diligence in monitoring customer accounts for signs of fraud.

Community Health Systems runs a network of 206 hospitals and hundreds of satellite doctors' offices across 29 states. The breach at the company is potentially worse than the one at Target Stores that compromised 110 million customer account records last year, according to John Zurawski, vice president of security software company Authentify.

"Target lost credit card information, but Community Health has lost Social Security numbers, addresses, birth dates, phone numbers everything a fraudster needs to capitalize on the individual's credit rating and more," he said. "Hackers are patient and they are persistent."

Personal information on 4.5 million people could be of tremendous value to cybercriminals, agreed Sam Visner, senior vice president and general manager at ICF International, a security consulting firm in Washington. "Cybercriminals could make a lot of money from that information conceivably, and why would they not attempt to?"

Other security experts are less alarmed about the fraud implications of the breach, pointing to investigators' belief that the attack likely originated in China.

"There has not been any recent indication that Chinese hackers are actively targeting [personally identifiable information] for resale through underground forums, which actually makes this event pretty unique," said Al Pascual, practice leader for fraud and security at Javelin Strategy & Research. Chinese hackers typically attack U.S. organizations in support of Chinese government and business initiatives, he said.

How It Happened

Heartbleed is essentially a coding mistake in OpenSSL, a free piece of code many web servers use to secure interactions with other computers. In some versions of OpenSSL, a component called a "heartbeat" because its job is to ping the communicating server to keep a web session alive contains a coding error that cybercriminals could use to steal small amounts (64 kilobytes) of data from a web session.

In the wake of the Heartbleed discovery this spring, it turned out that most banks didn't use the vulnerable version of OpenSSL on their websites. But like most companies, they do tend to have network-connected devices that do use it.

According to a blog posted by security consulting firm TrustedSec, hackers broke into a Juniper network device, exploiting Heartbleed, and stole user credentials from the device's memory. They then used those credentials to log in to the company's network through a virtual private network and worked their way around the network until they found a large database from which they stole the 4.5 million patient records.

"The Community Health Systems breach is just the latest indication that companies are not adequately protecting the information of the consumers they serve," said Rick Dakin, CEO and chief security strategist at Coalfire, an IT audit and compliance firm based in Denver. "According to media reports, Chinese hackers were still stealing records in June, even though the Heartbleed bug that gave them a way in had been reported in April. It's time for companies to step up their games to protect their consumers. And it's time for consumers to demand that companies protect the information that they've shared."

Some observers speculate prior mergers weakened Community Health Systems' ability to seal itself from Heartbleed.

"I imagine this organization grew by acquisition and a very heterogeneous technology base spans those hospitals and states," said Zurawski. "The number of access points is potentially very large and it would not be surprising if many were protected by only user names and passwords."

Community Health Systems did not immediately respond to a request for comment.

This same merger security risk applies to banks, Visner pointed out.

"If I've acquired another bank, have I checked on the cybersecurity of the organization I'm acquiring? Otherwise I might be connecting my house to a house that's already rotten with termites," he said. "That's becoming a problem."

What Is to Be Done?

The first thing banks should do in the wake of the Community Health Systems breach is fully address the Heartbleed vulnerability, Dakin said.

"Most organizations made a light review of the vulnerability and then declared themselves 'good,'" he said. They quickly remediated risks on their client-facing applications.

However, the banks also need to make an extensive review of embedded applications used by device manufacturers to enable remote access, he pointed out.

JOIN THE DISCUSSION

SEE MORE IN

RELATED TAGS

'Dodd-Frank Is Like the TSA': Comments of the Week
American Banker readers share their views on the most pressing banking topics of the week. Comments are excerpted from reader response sections of AmericanBanker.com articles and from our social media platforms.

(Image: iStock)

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.