One of the latest breaches to hit the news took place at Community Health Systems (CHS), affecting an estimated 4.5 million patients. According to principal security consultant and founder of TrustedSec, David Kennedy, the initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability that led to the compromise of the information.
What is especially noteworthy about this particular attack is its impact on the healthcare community. Major data breaches such as the one at Target last year put the spotlight on how retailers need to do a better job at guarding our sensitive financial information from cyber criminals. However, a May 2014 study by BitSight Technologies rated healthcare and pharmaceutical companies even worse than retailers in terms of security performance.
BitSight compared the performance of finance, utilities, retail, and healthcare groups within the S&P 500 from April 2013 through March 2014. Overall, healthcare companies scored lowest, at about 660 on a scale of 250 to 900. Not only did the healthcare sector have the most security problems, but companies also took the longest to fix the problems—on average 5.3 days, according to the report.
The importance of a strong vulnerability management and patching program is well documented but, as with all 0-day vulnerabilities, there is a period of time in which a patch is not available to fix the problem. So, what could CHS have done differently in this case?
As this rapidly evolving industry faces increasing challenges to keep personal health information protected, there is a need to ensure that knowledgeable security and privacy practitioners are in place to protect this sensitive information. Without knowing the specifics of the information security program in place at CHS, it is hard to come up with short and/or long term recommendations. Although I believe it is safe to assume that CHS could have used more “eyes on target” during that critical time block from when the “heartbleed” vulnerability was initially discovered and reported to when a patch was available for rollout. Thus, to help address the short term need, it is critical for all companies to analyze their current monitoring and detection programs and make sure the right people, processes, and tools are in place.
Longer term, we need to come up with a better way to quickly determine the cyber posture of an organization – and not just those from the healthcare sector. Through the use of a scoring method, the BitSight study provided an efficient and effective approach to help compare organizations against one another – similar to how a business runs credit checks before consumers can open a banking account, take out a car or home loan, or even get a job. While this method would require the creation of standards and additional work to implement, it’s an idea worth considering.
[Source: (ISC)² Blog]