White House Cybersecurity Czar Is Total N00b (And Proud Of It)

White House Cybersecurity Czar Is Total N00b (And Proud Of It)

Only in Washington, DC could a lack of technological know-how be a positive thing. In a city where people prefer to vote for charismatic politicians over intellectuals, White House cybersecurity coordinator Michael Daniel sees his lack of expertise as a selling point.

“Being too down in the weeds at the technical level could actually be a little bit of a distraction,” he told Gov Info Security. “You can get enamored with the very detailed aspects of some of the technical solutions. And, particularly here at the White House … the real issue is to look at the broad, strategic picture and the impact that technology will have.”

Daniel, who describes himself as “not a coder” is an unlikely appointed official to oversee the White House’s national cybersecurity strategy and policy. Most senior policy makers, as Vox observes, have advanced degrees in the fields they operate in. The surgeon general is a medical doctor, the attorney general has a law degree, and the head of the federal reserve has a degree in economics. And honestly, would we trust them as much if they didn’t?

In his own words, Daniel has a degree in public policy, but says he has little experience in programming or protecting computer networks from attacks. We can trust him to make policy, but probably not as the one in charge during a national cybersecurity emergency.

The situation echoes that of Federal Emergency Management Agency (FEMA) coordinator Michael D. Brown. It wasn’t until Hurricane Katrina that it came out that Brown had inadequate experience in disaster management and was forced to resign after his botched handling of the situation.

It would take a cybersecurity equivalent of Hurricane Katrina to put Daniel’s skills to the test, but let’s hope it doesn’t come to that.

Photo of Michael Daniel courtesy of CSIS

Sophisticated Hackers To Spawn Information Security Boom: Report

Sophisticated Hackers To Spawn Information Security Boom: Report

hacking_securitythreats

Worldwide spending on information security is estimated to reach $71.1 billion in 2014, representing an increase of 7.9 percent over 2013, as organizations adapt to the growing threat of cyber crime, according to a new report from Gartner.

By 2015, overall spending on information security is expected to grow even further — by 8.2 percent — to reach $76.9 billion, and greater reliance on mobile, cloud and social platforms is likely to drive the use of security technology through 2016, the Gartner report said.

“This Nexus of Forces is impacting security in terms of new vulnerabilities,” Lawrence Pingree, a research director at Gartner, said in a statement. “It is also creating new opportunities to improve effectiveness, particularly as a result of better understanding security threats by using contextual information and other security intelligence.”

According to Pingree, the easy availability of malware and other malicious technology has significantly blown up the threat to cyber security, a trend seen on the rise in 2013, allowing cyber criminals to launch advanced and highly-targeted attacks. At the same time, the trend has led to an increased awareness among organizations that “have traditionally treated security as an IT function and a cost center.”

Gartner estimates that more than 30 percent of security controls used by small or mid-size operations will be cloud-based by 2015, and consumers are expected to treat mobile security as a major priority from 2017 onwards. The report also predicted that, by 2018, more than half of all organizations will deploy security services firms specializing in data protection, security risk management and security infrastructure management.

Community Health Systems Inc. (NYSE:CYH), the second-largest chain of hospitals in the U.S., said earlier this week that it was the victim of a cyber attack from China, which led to the theft of personal data belonging to 4.5 million patients.

The attack, which was later reported to be carried out using the Heartbleed security flaw, was considered to be a significant breach by Chinese hackers, who have in the past been suspected of stealing medical-device blueprints and other valuable intellectual property from large health care companies.

However, the Community Health hack is far behind the biggest data breaches of all time, Bloomberg reported. Here is a list of top 10 hacks in the U.S. so far.

data_breaches

A list of top 10 hacks in the U.S.  Bloomberg

JP Morgan Chase & Co sign outside headquarters in New York

JPMorgan customers targeted in email phishing campaign

BOSTON/NEW YORK (Reuters) – Fraudsters are targeting JPMorgan Chase & Co customers in an email “phishing” campaign that is unusual because it attempts to collect credentials for that bank and also infect PCs with a virus for stealing passwords from other institutions.

The campaign, dubbed “Smash and Grab,” was launched on Tuesday with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc.

JPMorgan, the No. 1 U.S. bank by assets, confirmed that spammers had launched a phishing campaign targeting its customers.

“It looks like they sent it out to lots of people in hopes that some of them might be JPMorgan Chase customers, because there are a lot of them,” said bank spokeswoman Trish Wexler.“We are seeing this as a very small incident.”

She said the bank believes most of the spam was stopped by fraud filters at large Internet providers, adding that the email looked realistic because the attackers apparently used a screen grab from an authentic email sent by the bank.

Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan on their PCs, according to Proofpoint.

Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America Corp, Citigroup Inc and the Royal Bank of Scotland Group PLC, according to email security firm Phishme. (http://bit.ly/1lvFaVg)

Proofpoint Vice President of Threat Research Mike Horn said it is unusual for spammers to infect PCs with malware in the same campaign that is seeking to persuade users to provide banking credentials because that increases the odds of detection.

“Usually when they do credential phishing, that is all they do. In this case they are throwing in the kitchen sink,” Horn said.

Proofpoint saw about 150,000 emails from the group on Tuesday, the first day it noticed the campaign among its customers in the Fortune 500 and higher education.

That makes a moderately large campaign, but the largest attempts involve sending more than 1 million pieces of spam over a few days to Proofpoint clients, he said. The firm manages over 100 million email accounts.

Horn said that Proofpoint quickly identified the spam and was able to stop it infecting customers, but was not sure how effective it was in infecting others.

Horn said that his firm was unsure who was behind the emails, though much of the campaign’s infrastructure was in Russia and Ukraine and the group’s tactics were consistent with those of Eastern European cybercrime gangs.

(Additional reporting by David Henry in New York; Editing by Lisa Shumaker)

Teaching Leadership to Healthcare CISOs Aim of New Certification

What are CISOs’ top security concerns and strategies?

Security is no longer just an IT issue, it’s a business priority issue. In the past year, we’ve experienced a handful of high profile data breaches that affected tens-to-hundreds of millions of individuals in each—Court Ventures in October 2013, Target in December 2013, P.F. Chang’s in June, and the untold number of sites that a Russian crime ring hacked just a couple of weeks ago.

[Survey results reveal both IT pros' greatest fears and apparent needs] 

Security teams protecting sensitive corporate data aren’t the only ones embracing advances in technology—so are the sophisticated criminals trying to disrupt business. Protecting data privacy, meeting compliance requirements and guarding against malicious phishing and malware are cited as top security concerns according to a recent Wisegate member poll. But what are IT security executives actually focused on as priorities? Where are they looking to innovate their processes? And how will our nation’s top security experts help their businesses take smart risks?

Wisegate, an IT advisory service, and Scale Venture Partners teamed up to survey over a hundred security leads to find out.

The report highlights these key findings:

  • New battlefields, same war. CISOs remain vigilant on the fundamentals: Malware outbreaks and data breaches. Security teams confront growing risks on many fronts, from new technologies to external threat factors. Driving their security strategies are six technology trends, including BYOD, Everything as a Service, Cloud Application Security Brokers and SecDevOps. The five top risks resulting from these trends include malware outbreak and sensitive data breaches—these two risks accounting for nearly a third of all CISO’s top priorities.
  • Security programs prioritize risks and business alignment, but lack tools to draw the big picture. Their risks are increasing, but only half can efficiently report risk status to their boards and internal business partners. Despite being able to identify their top risks, one-half of the survey participants admitted they didn’t have good ways to measure the status of these risks or how effective their programs were at addressing them. Security and risk management systems are becoming Board-level discussions; government and industry regulations are also requiring better risk monitoring and controls. While many security products do provide dashboards, those tend to be specific to that product’s threats and activities. What’s needed are efficient ways to map all of this event data into holistic, business-level perspectives.
  • Top tech trends and risks show that as IT hands off infrastructure control, CISOs focus on the data. Shared risk models are a nod to the expanding universe of user devices and the dissolving enterprise perimeter. CISOs are looking to put security controls as close as possible to enterprise data, versus focusing on specific device types or threats. Information protection and control products (IPC), including DLP/DRM/masking/encryption technologies, were the number one desired control to apply on computers, at the infrastructure layer, within applications, and on mobile endpoints.
  • Automate all the things. CISOs push automation, orchestration to manage point solution sprawl. Consolidation and automation are top areas of focus to improve security program maturity. Three-quarters of CISOs are building or integrating solutions to address their top risks; APIs are frequently requested features in modern security solutions. Over half (59 percent) identified proactive threat/misuse detection or automated orchestration to streamline their incident response processes as a top goal.

[CSOs face ongoing paradoxical challenges, according to report

Check back in with CSO Online to see our in-depth reports based on the survey results. Look forward to learning about:

  • Security programs metrics/reporting: What’s working, what’s not? 
  • Automation: CISOs focus on automation, orchestration to manage point solution sprawl to improve security program maturity.
  • Top Risks/Controls: CISOs remain focused on the basics – malware and data breaches.
  • Data-centric to address BYOD/Cloud: As IT hands off control, CISOs focus on the data.

Bill Burns is an executive-in-residence at Scale Venture Partners. Elden Nelson is the editor-in-chief at Wisegate.

Chinese Hackers Used Heartbleed On Community Health: Report

Chinese Hackers Used Heartbleed On Community Health: Report

Heartbleed_CommunityHealth_hack

Chinese hackers used the Heartbleed security flaw to steal personal data belonging to 4.5 million patients of Community Health Systems Inc. (NYSE:CYH), the second-largest chain of hospitals in the U.S., a report said Wednesday.

The report follows Community Health’s disclosure on Tuesday that the company was the victim of a cyber attack from China, resulting in the theft of patients’ Social Security numbers, names, addresses and other personal data. The latest attack is considered to be the first known instance when the Heartbleed vulnerability has been used to breach a company’s systems, Bloomberg reported.

“We never had any tangible proof of an attack until now,” David Kennedy, founder of TrustedSec LLC, a Cleveland, Ohio-based security consulting company, told Bloomberg. Kennedy, who first reported that Heartbleed was used to attack Community Health, said he obtained the details of the hack from “a trusted and anonymous source” close to the investigation.

According to Kennedy, the hackers used the Heartbleed vulnerability to collect user credentials from the memory of a hospital device manufactured by Juniper Networks (NYSE:JNPR) and used them to log in through a virtual private network, or VPN. The attackers then extended their access into the company’s network until an estimated 4.5 million patient records were stolen from a database.

“There are sure to be others out there, however this is the first known of its kind,” a post on the TrustedSec website said.

The Heartbleed flaw, which was publicly disclosed on April 7, allows hackers to steal secret keys that are used to encrypt user names, passwords and other digital data. Following the bug’s discovery, many companies and security researchers were forced to build fresh safeguards to protect their computer networks.

Investigators are trying to determine if the Community Health hack was backed by the Chinese government, however, the Chinese embassy in Washington said it was unaware of the incident.

“Chinese laws prohibit cyber crimes of all forms and Chinese government has done whatever it can to combat such activities,” Bloomberg quoted Geng Shuang, an embassy spokesman, as saying. “Making groundless accusations at others is not constructive at all and does not contribute to the solution of the issue.”

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

U.S. hospital breach biggest yet to exploit Heartbleed bug: expert

(Reuters) – Hackers who stole the personal data of about 4.5 million patients of hospital group Community Health Systems Inc broke into the company’s computer system by exploiting the “Heartbleed” internet bug, making it the first known large-scale cyber attack using the flaw, according to a security expert.

The hackers, taking advantage of the pernicious vulnerability that surfaced in April, got into the system by using the Heartbleed bug in equipment made by Juniper Networks Inc, David Kennedy, chief executive of TrustedSec LLC, told Reuters on Wednesday.

Kennedy said that multiple sources familiar with the investigation into the attack had confirmed that Heartbleed had given the hackers access to the system.

Community Health Systems said on Monday that the attack had originated in China.

Kennedy, who testified before the U.S. Congress on security flaws in the healthcare.gov website that Americans use to sign up for Obamacare health insurance programs, said the hospital operator uses Juniper’s equipment to provide remote access to employees through a virtual private network, or VPN.

The hackers used stolen credentials to log into the network posing as employees, Kennedy said. Once in, they hacked their way into a database and stole millions of social security numbers and other records, he said.

Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment.

It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace.

Community Health Systems, one of the biggest U.S. hospital groups, said the information stolen included patient names, addresses, birth dates, phone numbers and social security numbers of people who were referred or received services from doctors affiliated with the company over the last five years.

Representatives of Community Health Systems could not be reached for comment outside regular U.S. business hours. A Juniper spokeswoman said she had no immediate comment.

A spokesman for FireEye Inc’s Mandiant forensics unit, which is leading the investigation into the breach, declined to comment.

Canada’s tax-collection agency said in April that the private information of about 900 people had been compromised after hackers exploited the Heartbleed bug.

(Reporting by Jim Finkle in Boston and Supriya Kurane in Bangalore; Editing by Gopakumar Warrier and Ted Kerr)

Workers at U.S. nuclear regulator fooled by phishers

Workers at U.S. nuclear regulator fooled by phishers

Nuclear Regulatory Commission employees were tricked into disclosing passwords and downloading malware in three phishing attacks that occurred over a three-year period.

The incidents were described in an inspector general report obtained by the publication Nextgov through an open-records request.

In one incident, the attackers sent email to 215 NRC employees, asking them to verify their accounts by clicking on a link and logging in with their user name and password.

A dozen employees clicked on the link, which actually connected to a spreadsheet on Google Docs. After the incident was reported, the NRC cleaned the workers’ systems and changed their credentials, a commission spokesman told Nextgov.

In another incident, attackers tricked an employee into clicking on an email link that downloaded malware from Skydrive, Microsoft’s file hosting service that is now called OneDrive. The employee was one of a number of workers who received email in the spearphishing attack, the report said.

Both of the attacks originated from foreign countries that were not identified.

In the third incident, the attacker hacked an employee’s email account and used the contact list to send email carrying a malicious attachment to 16 other employees, according to Nextgov. One employee opened the attachment, which infected the NRC computer.

Whether the attack was from a foreign country was not known.

The inspector general report listed 17 compromises or attempted compromises that occurred from 2010 to November 2013, Nextgov said.

During the 2013 fiscal year, U.S. government agencies reported 46,160 “cyber-incidents” in which computers were compromised, according to a report by the Government Accountability Office. The number represented a 33 percent increase from fiscal 2012.

The NRC’s job is to ensure that the nation’s nuclear power industry is following federal safety regulations.

Because the NRC collects large amounts of information from nuclear facilities, the attackers were likely after that data to learn more about plant operations, Andrew Gintner, vice president of industrial security at Waterfall Security Solutions, said.

“It’s clear that they’re doing information gathering,” Gintner said. “The question is why would you bother gathering this kind of information?”

Terrorists could use the information to plan an attack, while many nation states would likely be building a knowledgebase on U.S. nuclear facilities, Gintner said. Such a database would give them options, if a conflict occurred.

“This is a serious kind of incident, not because ‘help, help, they’re attacking a reactor,’ but because somebody is doing information gathering, and you generally don’t gather this information for benign purposes,” Gintner said.

The attacks described by the inspector general were successful despite the annual training NRC employees receive every year to help spot phishing attempts.

“We can inoculate ourselves to be secure 90 percent of the time, but to be 100 percent secure is really darn near impossible,” Adam Bosnian, executive vice president of the Americas at security company CyberArk, said.

Kicking the stool out from under the cybercrime economy

Kicking the stool out from under the cybercrime economy

Put simply, cybercrime, especially financial malware, has the potential to be quite the lucrative affair. That’s only because the bad guys have the tools to make their work quick and easy, though. Cripple the automated processes presented by certain malware platforms, and suddenly the threats — and the losses –aren’t quite so serious.

CSO Online had the opportunity to chat with Shape Security’s senior threat researcher, Wade Williamson, at this year’s Black Hat conference, and he offered a brief background of these types of popular malware platforms before putting the threat landscape into perspective.

[Black Hat USA 2014: Talking botnets and ad campaigns]

Williamson maintains that, despite its perceived “downfall,” Zeus is still one of the most popular botnet platforms out there, and that’s for a number of reasons. For one, the source code for Zeus previously leaked, allowing people who know how to code to more or less build on top of it for free. Also, it was one of the most common building blocks for many of the high-profile piece of malware that came after it; it’s the very reason that it can be difficult to distinguish between Citadel and Zeus, for example. Ultimately, Zeus served as the “innovative wedge” that can be seen in man-in-the-browser financial malware today,

That said, there’s a new up and comer in town in the form of Pandemiya.

“If you rewind about six years ago, SpyEye was actively marketing and saying, ‘We’re better than Zeus,’” says Williamson. “But they eventually merged and then you got iterative changes on top of the Zeus codebase. Pandemiya, on the other hand, is the new entrant and you’re starting to see it challenge the monolith [Zeus].”

Be it Pandemiya or Zeus, however, the goals behind them are more or less the same. According to Williamson, there are two major branches to attack strategies now. The first is working on making the botnet harder to take down, which some coders have accomplished by implementing P2P communication between the bots.

“It used to be that C&C servers are the brain behind this big botnet and everyone wants to take that down,” says Williamson. “But now botnets are using P2P communication, so there is no central server. They spread over the machines themselves, just like a P2P network, and it becomes hard to root this thing out even if you knew who was behind it.”

The other branch has less to do with the older approach of password theft and more about automating the transfer of money, which is where Williamson says the “state of the art” technology is now.

“Pandemiya and Zeus are all ultimately about automation and the man-in-the-browser process,” he says.

[RSA researchers discover new alternative to Zeus]

While it used to be easy for attackers to hit victims with a man-in-the-browser attack and simply wait for a login, banks got wise to the practice and implemented secondary authentication mechanisms; it was no longer enough for attackers to just acquire usernames and passwords. As such, they had to adopt a different approach.

“I’m in this guy’s browser, I can just wait until he completes all authentication, and then I’m going to be on the inside,” says Williamson. “Eventually, he’s going to send money to someone else. If you can automate that transaction, it makes it impossible to discern what’s real and what’s the bot.”

 

So how exactly is this done? Because the malware owns the browser, it injects a bit of JavaScript that looks the same as what information coming from a legitimate, uncompromised browser looks like. Breaking that piece of the automation, says Williamson, is the key to mitigating the problem.

“From the bank’s perspective, I can’t just tell my customer to go away,” he says. “Being able to selectively break an automation is the key for disrupting these attacks. It’s true of anything that uses automation, like DDoS.”

What the good guys can do is affect change at the website level, and change what the underlying markup code of the website is each time it loads without changing the user interface. This way the website always looks the same to the user and their experience isn’t disrupted, but the code supporting it looks different, thus stumping the botnet on the infected machine. After all, automation needs the page to be predictable to automate against it; if it can’t figure out how to put in a username and password and hit the submit button, automation doesn’t work anymore.

“So now your botnet that knows what to do when it gets to, say, Bank of America, sees this and says, ‘This is gobbledygook’ and doesn’t know what to do,” says Williamson.

The economy of cybercrime

Like the malware itself, what the economy of cybercrime comes down to is automation: attackers can make money quickly and easily because with botnets, they don’t have to do the heavy lifting. And the bad news for the good guys is that defending networks from such attacks is an arduous process.

[Businesses can do more in battle against Gameover Zeus-like botnets]

“If you can automate one of these attacks, it’s the reason 10 guys can make millions a month because scripts are doing work in the background,” says Williamson. “And for someone defending networking, every small change from an attacker makes you go back to square one, write a signature for it, etc. Every time a web server burps with a new piece of malware, you have to go reanalyze it.”

The trick then is to turn the tables and put all of the hard work on the side of the attacker. By crippling automated processes — by constantly changing website code, for example –the attackers are now the ones being forced to constantly do the hard cerebral work as they go back to square one and manually adjust their game plans. Suddenly, cybercriminals are raking in less money over time and their economy begins to crumble.

“If you can force someone to rewind to 10 years ago where they have to do everything themselves, it kicks the stool out from under a lot of attacks,” says Williamson. “How do I monetize stolen credit cards? How do I know if they’ve logged into their bank? If you can’t deal with those sites automatically, everything deescalates.”

By way of example, Williamson explained when a target is breached and criminals get their hands on stolen credit cards, their value on the black market jumps substantially — say, from 20 cents to anywhere from 40 to 80 dollars apiece — once they have been verified. It’s what gives the stolen cards value, so criminals have an automated process to determine whether or not the cards are, in fact, verified.

“So let’s say they take a thousand of those cards and go to the Red Cross and make a one dollar donation with each of them,” says Williamson. “It’s something that people aren’t going to notice. They make the donations and say, okay, 900 out of 1,000 of them worked. So when they sell the cards, they say that the cards are from this area in the country and they have a 90% success rate. People pay a really high premium for [a rate that high].”

[New Gameover Zeus botnet keeps growing, especially in the US]

The key, then, is breaking that verification process, since that’s where all the value in the cybercriminal economy gets generated. To do so, defenders need to take advantage of the fact that the entire process is automated; again, without changing the GUI of the site in question, the ID of field names can be changed to a random string, ensuring that each user interaction is unique. This, of course, breaks the automated process when it can’t find the fields that it’s attempting to fill out.

“If you think about this in the context of testing credit cards, the script says, ‘Put in the number here, address, hit submit, and if I get a good verify back, I know it works,’” says Williamson. “And since nothing was ever submitted, it looks like they went zero for a thousand.”

Why it is time to intensify employee education on phishing

Why it is time to intensify employee education on phishing

Companies should consider intensifying employee training to combat the increasing craftiness of phishers who are working harder to obtain personal details on targets in order to trap them in scams.

Among the latest examples of phisher creativity is a hustle in which the scammers contacted people who were planning vacations and had booked hotel rooms through Booking.com.

In two cases, the would-be victims had booked a room at two separate London hotels. In a third incident, the booking was done at a Spanish hotel.

The scammers, pretending to be from Booking.com, sent email asking for payments in full via wire transfers, because of problems with the credit-card transactions.

The emails included account details on the Polish bank where the money should be sent, as well as information on the would-be victims, such as the booking number, their full name, the dates of their stay and home address.

The tech site The Register reported one of the scams earlier this month, while the other two were on the London forum of TripAdvisor.

Experts believe the information used to make the emails seem real likely came from the hotels, but how the crooks got the details is up for speculation.

The information could have come from a computer hack or could also have been obtained from someone working for the hotel. That person may have been involved in the scam or tricked into providing the information over the phone.

“There are a number of different pretexts that would allow an intelligent attacker to not have to go through hacking,” said Michele Fincher, chief influencing agent at Social-Engineer Inc., which provides corporate training for avoiding phishing attacks.

Phishers are getting much better at creating convincing emails, which are sometimes followed by a phone call in which the scammer pretends to be a business associate asking the recipient to open the malicious attachment in the messages, experts say.

In the first quarter, the number of phishing sites grew by almost 11 percent from the fourth quarter of 2013, according to the latest report by the Anti-Phishing Working Group. The latest number was the second highest since the first quarter of 2012.

In addition, the number of phishing reports increased by almost 7 percent from the previous quarter.

Because the first quarter is typically slower than the rest of the year, the APWG expects this year to be a “very active year for phishers worldwide.”

“The number and diversity of phishing targets is increasing,” Greg Aaron, a senior research fellow at the APWG said in the report. “Almost any enterprise that takes in personal data via the Web is a potential target.”

The sophisticated tactics used by phishers means companies need to ratchet up employee education to reduce the number fooled by slick conmen.

Social-Engineer advocates a “culture change” in which employees are encouraged to think before clicking on attachments or links within every email they receive.

They should also be trained to look closely at the URLs in email and senders’ addresses.

“Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety),” Fincher said.

Also, education has to be relevant and consistent and not comprise sessions in which bored attendees are fulfilling a requirement.

“The training has to be something that makes sense,” Fincher said. “It has to be all the time and it has to make people think about what they do in a different way.”

Cyber Attack Nets 4.5 Million Records From Large Hospital System

Cyber Attack Nets 4.5 Million Records From Large Hospital System

In what could well be the largest single health data breach by a publicly traded company, Community Health Systems (CHS) announced earlier today that information on 4.5 million patients was stolen as part of a cyber attack they believe originated in China.

In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. SEC Form 8‒K as filed by CHS on 8/14/2014

While the stolen data was “non‒medical in nature,” it did include patient names, addresses, birth dates, telephone and social security numbers so it is considered a breach under HIPAA and will be reported as such. Using liability insurance for this express purpose, CHS will provide identity theft protection to affected patients. The company said they do not expect costs associated with the breach to have any “adverse effect on its business or financial results.”

As of July 2013, Becker’s Hospital Review listed Franklin, Tennessee based CHS as the second largest for‒profit hospital system in the U.S. just behind Hospital Corporation of America (HCA).

“Community Health Systems, Inc. is one of the nation’s leading operators of general acute care hospitals. The organization’s affiliates own, operate or lease 206 hospitals in 29 states with approximately 31,100 licensed beds.” Community Health Systems website

Just this last April, the FBI issued an alert (known as a private industry notification or PIN) to healthcare organizations nationally specifically warning them that healthcare lagged other industries relative to cyber threats globally.

The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely. FBI quote as provided to Reuters (April, 2014 here).

As if to emphasis that exact point ‒ and today’s announcement by CHS ‒ healthcare CIO Bert Reese had this warning from May:

We see about a million hits a day from China alone trying to break into our network. Bert Reese ‒ CIO of Sentara (Top Healthcare CISO’s Hard To Come By – May, 2014)

Another key target for cyber criminals is the proprietary information and technology associated with medical devices, but once inside a network, criminals often take whatever they can find. SFGate reported earlier this year that the networks of all 3 of the largest medical device manufacturers (Medtronic, Boston Scientific and St. Jude Medical) had been breached in early 2013 in an attack that lasted for months ‒ and “might have been committed by hackers in China.”

“The medical device makers were not aware of the intrusions until federal authorities contacted them, and they have formed task forces to investigate the breach, [an inside source] said.” Hackers break into networks of 3 big medical device makers – SFGate (February, 2014)

In their 4th annual report (released in February) ‒ Health IT Security firm Red Spin included this chart on PHI breaches since 2009: