Breach at Hospital Chain Shows Heartbleed's Danger to Banks

Heartbleed has resurfaced, and it's likely to give bankers another case of heartburn.

The high-profile website vulnerability with the cool logo that made headlines this spring has led to a major data breach. Researchers have confirmed that hackers who stole 4.5 million patient records from Community Health Systems of Franklin, Tenn., broke into the company's network through a hole in the network created by Heartbleed.

This matters to banks in two ways: One, the stolen records include everything needed for identity theft — customer names, addresses, birth dates, and telephone and Social Security numbers — and thus could be used for financial fraud across the country. Two, it illustrates the danger Heartbleed still presents to financial institutions as it lingers unnoticed on network devices in most companies.

The case is a warning sign for banks to carefully check all computing devices connected to their networks for vulnerability to Heartbleed and to renew their diligence in monitoring customer accounts for signs of fraud.

Community Health Systems runs a network of 206 hospitals and hundreds of satellite doctors' offices across 29 states. The breach at the company is potentially worse than the one at Target Stores that compromised 110 million customer account records last year, according to John Zurawski, vice president of security software company Authentify.

"Target lost credit card information, but Community Health has lost Social Security numbers, addresses, birth dates, phone numbers — everything a fraudster needs to capitalize on the individual's credit rating and more," he said. "Hackers are patient and they are persistent."

Personal information on 4.5 million people could be of tremendous value to cybercriminals, agreed Sam Visner, senior vice president and general manager at ICF International, a security consulting firm in Washington. "Cybercriminals could make a lot of money from that information conceivably, and why would they not attempt to?"

Other security experts are less alarmed about the fraud implications of the breach, pointing to investigators' belief that the attack likely originated in China.

"There has not been any recent indication that Chinese hackers are actively targeting [personally identifiable information] for resale through underground forums, which actually makes this event pretty unique," said Al Pascual, practice leader for fraud and security at Javelin Strategy & Research. Chinese hackers typically attack U.S. organizations in support of Chinese government and business initiatives, he said.

How It Happened

Heartbleed is essentially a coding mistake in OpenSSL, a free piece of code many web servers use to secure interactions with other computers. In some versions of OpenSSL, a component called a "heartbeat" — because its job is to ping the communicating server to keep a web session alive — contains a coding error that cybercriminals could use to steal small amounts (64 kilobytes) of data from a web session.

In the wake of the Heartbleed discovery this spring, it turned out that most banks didn't use the vulnerable version of OpenSSL on their websites. But like most companies, they do tend to have network-connected devices that do use it.

According to a blog posted by security consulting firm TrustedSec, hackers broke into a Juniper network device, exploiting Heartbleed, and stole user credentials from the device's memory. They then used those credentials to log in to the company's network through a virtual private network and worked their way around the network until they found a large database from which they stole the 4.5 million patient records.

"The Community Health Systems breach is just the latest indication that companies are not adequately protecting the information of the consumers they serve," said Rick Dakin, CEO and chief security strategist at Coalfire, an IT audit and compliance firm based in Denver. "According to media reports, Chinese hackers were still stealing records in June, even though the Heartbleed bug that gave them a way in had been reported in April. It's time for companies to step up their games to protect their consumers. And it's time for consumers to demand that companies protect the information that they've shared."

Some observers speculate prior mergers weakened Community Health Systems' ability to seal itself from Heartbleed.

"I imagine this organization grew by acquisition and a very heterogeneous technology base spans those hospitals and states," said Zurawski. "The number of access points is potentially very large and it would not be surprising if many were protected by only user names and passwords."

Community Health Systems did not immediately respond to a request for comment.

This same merger security risk applies to banks, Visner pointed out.

"If I've acquired another bank, have I checked on the cybersecurity of the organization I'm acquiring? Otherwise I might be connecting my house to a house that's already rotten with termites," he said. "That's becoming a problem."

What Is to Be Done?

The first thing banks should do in the wake of the Community Health Systems breach is fully address the Heartbleed vulnerability, Dakin said.

"Most organizations made a light review of the vulnerability and then declared themselves 'good,'" he said. They quickly remediated risks on their client-facing applications.

However, the banks also need to make an extensive review of embedded applications used by device manufacturers to enable remote access, he pointed out.

"This problem is still not fully understood," he said. Every user of devices or applications with embedded remote access has to communicate with the developers or manufacturers and demand a review of the protocols used to conduct remote access, he suggested.

All new applications and devices should go through a security check before being deployed.

"It may sound crazy, but banks typically take off-the-shelf devices and applications out of the box and deploy them into a production environment with very light review or testing," Dakin said.

Bankers should also watch for a wave of new credit card applications, loan applications, and other fraud tied to identity theft and credit scams, Zurawski said, and thoroughly authenticate every request for a credit card replacement, new credit card or loan as well as unusual electronic funds transfers.

"I imagine in some cases information for entire families has been compromised," he said, which broadens the impact of the breach beyond the 4.5 million records stolen.

And banks need to beef up their account monitoring and ensure that their security policies are being enforced, Visner said.

"Some breaches occur in the absence of very sophisticated defenses," he said. "There might be a lack of continuous monitoring, a lack of cybersecurity governance, risk and compliance."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER