![\"healthcare\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2014\/08\/05111608\/healthcare-1.png\")
<\/a><\/p>\nRemember Heartbleed?<\/strong><\/p>\n A vulnerability in OpenSSL<\/a>, dubbed Heartbleed, emerged earlier this year. It affected perhaps more than 60 percent of the Internet at one time, and could theoretically give an attacker the ability to steal a certain amount of information during a client-to-server connection. Well, this could be the first real-world, widely publicized instance of criminals or state actors exploiting the nearly Internet-wide vulnerability for personal gain. Specifically, the attackers developed an exploit that allowed them to use Heartbleed to steal login credentials to Community Health Systems<\/a>.<\/p>\n Who is Affected?<\/strong> How did this Happen?<\/strong><\/p>\n In particular, this breach exposed the non-medical and non-payment information of 4.5 million patients<\/a> who had been referred to or received services from physicians affiliated with Community Health Systems in the last five years. While no medical data was exposed, which is good, Social Security numbers (SSNs) were exposed, which is quite obviously bad. In addition to SSNs, attackers made off with patient names, addresses, dates of birth and in some cases, patient employers or guarantors and phone numbers.<\/p>\n The silver lining here may actually be that the attackers in this case were advanced persistent threat actors. They probably weren\u2019t looking for consumer SSNs. In fact, various experts from the security firm Crowdstrike and elsewhere say the attackers probably sought intellectual property relating to medical systems that the People\u2019s Republic could put to use providing care for their aging population.<\/p>\n In this effort, \u201cAPT 18\u201d (also known as \u201cDynamite Panda\u201d) failed. That said, it\u2019s hard to say what they\u2019ll do with this vast store of sensitive information.<\/p>\n A Larger Issue<\/strong><\/p>\n However, the problem of healthcare data breaches has been one for years, and it isn\u2019t going to get any better any time soon. Here\u2019s why:<\/p>\n When we talk about medical device security, we tend to talk about the fantastic and the grim; tales of remotely hacking insulin pumps and pacemakers<\/a>, maiming and murdering with laptops. Luckily for anyone with persistent medical condition treated by an embedded and\/or connected medical device, the likelihood of assassination by laptop \u2013 as I learned in a recent Black Hat briefing<\/a> \u2013 is effectively nonexistent. In fact, Rapid7 medical device security expert Jay Radcliffe said these connected medical devices do far more good than harm<\/a>.<\/p>\n The problem, for the time being, appears to be more systemic and growing. It relates more to the way that doctors, hospitals and even medical devices store, share and make data accessible. As was pointed out in a discussion with Radcliffe, the most probable scenario through which a connected medical device could impact personal safety would be if a patient was treated improperly due medical records that had been tampered with or changed \u2013 whether by hacking or accident.<\/p>\n In an interview on NPR\u2019s Fresh Air with Terry Gross<\/a> earlier this week, Dr. Sandeep Jauhar, a cardiologist and author, suggested that a big part of the reason why U.S. healthcare lags behind others in the world is because of a lack of information sharing in the country. Thus, in order to improve the U.S. healthcare system \u2013 and come into compliance with the Affordable Care Act \u2014 there will need to be more connectivity between medical devices, more communications between healthcare providers, more remote access to data and, more likely than not, more exposure of sensitive health information. And this is just in the U.S. Juahar\u2019s statement implies that this sort of data sharing is already going on in countries with more advanced healthcare systems, only perpetuating the problem.<\/p>\n This isn\u2019t to say all is hopeless. The Health Insurance Portability and Accountability Act (HIPAA) is designed in part to protect the security and privacy of consumer healthcare information. Hospitals and manufacturers have guidelines they are required to follow in order to be in compliance with HIPAA. Unfortunately, data breaches are all but inevitable and no security plan is perfect. Everyone \u2013 regardless of how hard they try \u2013 gets compromised eventually.<\/p>\n What if You Are Affected and How Would You Know?<\/strong><\/p>\n Community Health Systems is in the process of sending notifications to anyone whose information was exposed in the attack. So what should you do if you receive one of these letters? We recommend you enroll immediately in credit monitoring services, which Community Health Systems will be offering for free to all of the victims. The breach notification letter will contain instructions on how to enroll.<\/p>\n Beyond that, you will want to monitor your credit report on your own to make sure no one is using your SSN to take out lines of credit. Community Health Systems\u2019 breach notification page<\/a> has contact information, so you should reach out to them if you have any further questions.<\/p>\n Lastly, the Federal Trade Commission has a website dedicated entirely toward walking people through the identity theft reaction process<\/a>. If ever you are concerned about identity theft, that site is a great place to begin.<\/p>\n