When the Heartbleed bug was discovered in April, most healthcare providers had reason to squirm. Heartbleed, a major flaw in the OpenSSL encryption technology used in an estimated two-thirds of websites, left networks vulnerable to eavesdropping and data theft. It is the result of a small coding error that has been present in the technology for over two years—and this week, Community Health Systems paid for that error in a big way when hackers stole the personal data of 4.5 million patients.
The CHS breach is the first known large-scale attack exploiting Heartbleed.
According to David Kennedy, chief executive of TrustedSec LLC, the bug was built into hospital equipment made by Juniper Networks Inc. The China-based hackers exploited the flaw and logged into the hospital system's network using stolen IDs, then hacked into a database to steal social security numbers and other HIPAA-protected information. Kennedy, who recently testified before Congress about the security of Healthcare.gov, confirmed to Reuters that multiple sources close to the investigation have said that Heartbleed provided the hackers with access to the network.
The hackers' main target, however, was likely not personal information but lucrative tech development projects, according to the FBI. The agency issued a "Flash" alert on Wednesday, noting that "malicious actors" have been observed "targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data."
CHS is one of the largest hospital operators in the country, managing 206 hospitals in 29 states. The breach comes directly in the wake of the FBI's warning to the healthcare industry that it needs to shape up its data security efforts: In April, the FBI issued a private industry notification (PIN) to the healthcare industry, warning providers that their security is insufficient to meet the risk of cyberattacks.
Here are the biggest stories in the healthcare industry this week:
The theft included the personal data of 4.5 million patients.
Hint: It's dramatic.
Is the retail giant's potential to overhaul the primary care landscape just hype?
Are employers leaving the insurance business, and how should providers prepare?
Care must be available 24/7 in order to be eligible for reimbursement.
And here's what we were reading:
- The Miami Herald reports on the administration's refusal to reveal federal records on healthcare.gov security because it might give hackers an edge.
- Aaron Caroll clues us in on why physicians don't care about consumers' Fitbit data.
- Austin Frakt does a cost-benefit analysis on the more-expensive but higher-quality Medicare Advantage plans. Are they worth it?