US hospital hack 'exploited Heartbleed flaw'

Community Health Systems believes the data breach did not involve medical records

Continue reading the main story Related Stories

The theft of personal data belonging to about 4.5 million healthcare patients earlier this year was made possible because of the Heartbleed bug, according to a leading security expert.

Community Health Systems - the US's second largest profit-making hospital chain - announced on Monday that its systems had been breached.

The head of TrustedSec - a cybersecurity firm - now alleges that the encryption flaw was exploited.

CHS has yet to respond to the claim.

The Heartbleed bug made headlines in April when Google and Codenomicon - a Finnish security company - revealed a problem with OpenSSL, a cryptographic library used to digitally scramble sensitive data.

OpenSSL is used by computer operating systems, email, instant messaging apps and other software products to protect sensitive data - users see a padlock icon in their web browser if it is active.

A fix was made available at the time, and software-makers that used OpenSSL in their products were urged to employ it.

If confirmed, this is the biggest identified breach relating to the bug.

Until now attacks on the UK's parenting social network Mumsnet and the Canadian tax authority were the biggest known Heartbleed-related intrusions.

Other examples may have gone undetected since hackers can exploit the problem without leaving a trace of their activity.

Patching Heartbleed

David Kennedy, chief executive of TrustSec, told the Bloomberg news agency that three people close to the CHS investigation had notified him that Heartbleed had been pinpointed as the vulnerability used to steal names, phone numbers, addresses, and social security numbers from the hospital group's systems.

He explained the hackers took advantage of the fact that Franklin, Tennessee-based CHS, used products made by Juniper, a firm that makes hardware and software to manage computer networks.

Like many of its competitors, it took Juniper several weeks to patch all its affected code after the Heartbleed alert was issued.

"The time between zero-day (the day Heartbleed was released) and patch day (when Juniper issued its patch) is the most critical time for an organisation where monitoring and detection become essential elements of [an] IT security programme," wrote Mr Kennedy on his company's blog.

"What we can learn here is that when something as large as Heartbleed occurs (rare) that we need to focus on addressing the security concerns immediately and without delay.

"Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place."

A spokeswoman for the CHS's security provider Mandiant was not available for comment.

TrustedSec previously helped uncover a security breach at Yahoo, and last year Mr Kennedy was called to give evidence to Congress about suspected vulnerabilities in the US government's healthcare website.

Another independent expert said the explanation given for the intrusion appeared incomplete but credible.

"The blog post is not very detailed and is attributed to an anonymous source," said Dr Steven Murdoch from University College London's computer science department.

"It's not conclusive evidence, but it's certainly plausible since the Juniper operating system was vulnerable to the Heartbleed attack, and the way that it's explained that the hackers got in is also plausible.

"It is interesting that the first breach happened in April, which was the same month that the Heartbleed vulnerability was announced, so it seems that well-organised hackers were making use of the flaw immediately after it came out."

Websites that use OpenSSL identify the fact they are secure by showing a closed padlock

CHS has indicated that the attacks originated from China and had resulted in the perpetrators obtaining log-in credentials belonging to its employees.

These were then used to steal records, it believes, in April and June this year.

The firm, which runs 206 hospitals in 29 states, is now in the process of notifying affected patients.

CHS has stressed that it believes no medical records or financial information have been transferred as result of the intrusion.