Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Steal Data Of 4.5 Million US Hospital Patients

Unknown Lamer posted about a month and a half ago | from the security-through-whoops dept.

Security 111

itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.

cancel ×

111 comments

Sorry! There are no comments related to the filter you selected.

Well I for one (0)

Anonymous Coward | about a month and a half ago | (#47700331)

Am looking forward to the UKs NHS databases going live. We are every bit as inept as our American neighbours.

Re:Well I for one (4, Funny)

The Grim Reefer (1162755) | about a month and a half ago | (#47700339)

Yes, but think of all the new medical breakthroughs and publications that will be coming out of China in the next few years. ;-)

Re:Well I for one (1)

wooferhound (546132) | about a month and a half ago | (#47700389)

I guess this needs to be reported, but, is it news anymore?

Re:Well I for one (1)

dcollins117 (1267462) | about a month and a half ago | (#47700465)

I guess this needs to be reported, but, is it news anymore?

Yes. It is huge news for anyone who seeks medical care in the US. Your supposedly confidential records are not confidential. It's criminal and I hope to see everyone responsible for mismanaging medical records prosecuted.

Re:Well I for one (4, Insightful)

ShanghaiBill (739463) | about a month and a half ago | (#47700983)

Your supposedly confidential records are not confidential.

My name, address, and phone number are already public information, and in the phone book. The only "confidential" information they got was the SSN, and that should be fixed by making it illegal to use SSNs as authentication. I am required to disclose my SSN to employers, contractees, financial institutions, creditors, etc. It is ridiculous to then assume that mere knowledge of my SSN is "proof" that I am me.

Re:Well I for one (2)

Aighearach (97333) | about a month and a half ago | (#47701293)

contractees should be given an EIN not a SSN.

Re:Well I for one (0)

Anonymous Coward | about a month and a half ago | (#47702431)

contractees should be given an EIN not a SSN.

Uhhhh....an EIN is an "employER identification number". If he's a single, independent contractor who doesn't have employees and hasn't incorporated himself, then he wouldn't have reason to have an EIN.

Re:Well I for one (1)

Jason Levine (196982) | about a month and a half ago | (#47702669)

All someone needs is your name, address, SSN, and birthdate and they can use your identity to open a credit card in your name*. Trust me, I know this from personal experience. If the thieves hadn't paid for rapid delivery of the credit card and THEN changed the address on the card, the card would have been delivered to them, not me. I wouldn't then have realized what was up until the collection agencies were banging down my door and my credit rating was in shambles. Instead, I was able to cancel the card though now my credit file is frozen to prevent future lines of credit being opened (since my information is already out there).

I'll agree that it's ridiculous that address/SSN/DOB are used as the secret key to your credit account. Unfortunately, that's the way things are and until they change this breach means millions of patients are at risk for identity theft.

* As an aside, that mother's maiden name "security" question on the forms? Let's just say that the TSA provides more security than this does. The thieves got it obviously wrong and the credit card was still approved by Capital One.

Re:Well I for one (0)

Anonymous Coward | about a month ago | (#47703009)

I'll agree that it's ridiculous that address/SSN/DOB are used as the secret key to your credit account. Unfortunately, that's the way things are and until they change this breach means millions of patients are at risk for identity theft.

That seems to be what the parent was suggesting. Congress ought to pass a law stating that any debts resulting from a new line of credit opened without in person verification of identity using birth certificate, passport, military identification, etc are null and void and cannot be used against somebody for the purposes of determining credit worthiness under penalty of perjury. You will see how quickly creditors change their ways when people can simply walk away from debts that they did not incur.

Re:Well I for one (0)

Anonymous Coward | about a month and a half ago | (#47701195)

Sweden did that a few years ago. A huge govt database of all medical records, including "lifestyle data". You need health care, it all needs to be added in to the database -- any refusal means no care. The last leak that is publicly know was because some moron connected a router the wrong way (firewalled the LAN port and not the internet). Almost like an inside job...

The medical records (including psychiatric notes) are on sale on the internet quite openly. Welcome to your future in UK (and elsewhere).

Re:Well I for one (1)

hawkinspeter (831501) | about a month and a half ago | (#47702195)

How dare you say that! We've been more inept for much longer than the USians. We'd make sure that a random doctor loses his unencrypted laptop with all the data on it.

Got SS number but (1)

raind (174356) | about a month and a half ago | (#47700333)

"The stolen data did not include patient credit card, medical, or clinical information."

That seems to be a rather dubious claim.

Re:Got SS number but (0)

Anonymous Coward | about a month and a half ago | (#47700419)

While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.

Obviously the penalties aren't harsh enough for losing the personal information of 4.5 million people.

Re: Got SS number but (0)

Anonymous Coward | about a month and a half ago | (#47700511)

That's where you are wrong. The fine is going to be huge!

Re: Got SS number but (0)

Anonymous Coward | about a month and a half ago | (#47700641)

Fines... yeah. This should warrant jail time. But nobody takes responsibility or is held accountable for these types of breeches.

Re: Got SS number but (2)

ShanghaiBill (739463) | about a month and a half ago | (#47701037)

This should warrant jail time.

America already imprisons more people than any other country. Many states spend more on prisons than on higher education. If, in addition to criminals, we want to also imprison the merely incompetent, we will need ten times as many prison cells.

Re: Got SS number but (1)

Anonymous Coward | about a month and a half ago | (#47702309)

Assassination is an effective tool if used properly. Simply offer $200K a head with a 5 million bonus for the entire team responsible, dead or alive.

Re:Got SS number but (1)

Khyber (864651) | about a month and a half ago | (#47700425)

Dubious? No. The information stolen is more relevant to stealing one's identity, creating false residency documentation, etc. Name, address, social security number? Ripe for identity fraud.

Re:Got SS number but (0)

Anonymous Coward | about a month and a half ago | (#47702531)

Which is far, far worse than losing your credit card number or clinical or medical information.

I don't really give a fuck if the Chinese know I had my adenoids removed when I was little, or if they know that my last physical said I could probably stand to lose a little weight.

I do give many, many fucks if they know my SSN and then can begin using that to defraud my identity: commit credit fraud, wire fraud, bank fraud, etc. I can cancel a credit card and be issued a new one. I can't do that with a Social Security Number, and I will never be able to recover from it fully should it be abused.

Re:Got SS number but (1)

jimbolauski (882977) | about a month ago | (#47704111)

I sure am glad that I have refused to give out my SS# to hospitals, doctors, insurance companies, ... Most don't seem to care if it's omitted, so I don't have to explain that I'm not comfortable giving them that information making me look like a tinfoil hat hearing nut job.

yet another reason not to trust doctors (-1)

Anonymous Coward | about a month and a half ago | (#47700335)

Incompetent malpracticing assholes.

Re:yet another reason not to trust doctors (2)

Tablizer (95088) | about a month and a half ago | (#47700421)

Well, your DIY lobotomy didn't turn out so well.

Re:yet another reason not to trust doctors (0)

Anonymous Coward | about a month and a half ago | (#47700509)

The resulting lawsuit paid out great! Good bliss 'merica!

Re:yet another reason not to trust doctors (1)

ColdWetDog (752185) | about a month and a half ago | (#47700701)

You should have seen him before the lobotomy.

Re:yet another reason not to trust doctors (1)

Tablizer (95088) | about a month and a half ago | (#47701309)

Before? You mean her.

Re:yet another reason not to trust doctors (0)

Anonymous Coward | about a month and a half ago | (#47701035)

Incompetent malpracticing assholes.

Umm, so you think that the hospitals IT team is composed of doctors?

Re: yet another reason not to trust doctors (0)

Anonymous Coward | about a month ago | (#47703893)

Maybe not composed of, but very often run by doctors. "Hey i wrote some perl scripts in college so I know all there is to know about IT" says Mr/Ms CMIO.

why internet connected? (2, Informative)

Anonymous Coward | about a month and a half ago | (#47700341)

What were such systems doing connected to the public internet?

You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

Re:why internet connected? (1)

epyT-R (613989) | about a month and a half ago | (#47700377)

convenience rules the internet of things.

Re:why internet connected? (-1)

Anonymous Coward | about a month and a half ago | (#47700401)

Here's a list of reasons why I don't like the Internet of Things:

1) Internet of Things devices could watch me while I sleep.

2) Internet of Things devices could watch me while I pee.

3) Internet of Things devices could watch me while I make kaka.

4) Internet of Things devices could watch me while I pleasure myself.

5) Internet of Things devices could watch me while I wash my body in the shower.

6) Internet of Things devices could watch me while I relax in the tub.

7) Internet of Things devices could watch me while I brush my teeth.

8) Internet of Things devices could watch me while I make passionate love to my wife.

9) Internet of Things devices could watch me while I brush my hair.

10) Internet of Things devices could watch me while I read a book.

11) Internet of Things devices could watch me while I read Slashdot.

12) Internet of Things devices could watch me while I bake cake.

13) Internet of Things devices could watch me while I put in my contact lenses.

14) Internet of Things devices could watch me while I get ready to play golf.

15) Internet of Things devices could watch me while I do my laundry.

16) Internet of Things devices could watch me while I think about rugby.

17) Internet of Things devices could watch me while I tie my shoes.

18) Internet of Things devices could watch me while I celebrate the 4th of July.

19) Internet of Things devices could watch me while I water my flowers.

20) Internet of Things devices could watch me while I eat ham.

21) Internet of Things devices could watch me while I use my stapler to staple documents.

22) Internet of Things devices could watch me while I chew bubble gum.

23) Internet of Things devices could watch me while I check the oil in my car.

24) Internet of Things devices could watch me while I look for my TV remote.

25) Internet of Things devices could watch me while I blow my nose.

26) Internet of Things devices could watch me while I rearrange my stamp collection.

27) Internet of Things devices could watch me while I listen to the Backstreet Boys.

28) Internet of Things devices could watch me while I do my calisthenics.

29) Internet of Things devices could watch me while I search for a paper clip.

30) Internet of Things devices could send information about me to advertisers.

31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.

32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.

33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.

34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.

36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.

37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.

38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.

39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.

40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.

41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.

42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

43) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I put in my contact lenses.

44) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I get ready to play golf.

45) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I do my laundry.

46) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I think about rugby.

47) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I tie my shoes.

48) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I celebrate the 4th of July.

49) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I water my flowers.

50) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I eat ham.

51) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I use my stapler to staple documents.

52) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I chew bubble gum.

53) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I check the oil in my car.

54) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I look for my TV remote.

55) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I blow my nose.

56) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I rearrange my stamp collection.

57) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I listen to the Backstreet Boys.

58) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I do my calisthenics.

59) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I search for a paper clip.

60) Everything listed above is really, really, really fucking creepy.

And those are just my top 60 reasons! I've got a lot more than just those. The Internet of Things is creepy to the max and it sounds like it could be very invasive.

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700411)

8) Internet of Things devices could watch me while I make passionate love to my wife.

11) Internet of Things devices could watch me while I read Slashdot.

Liar.

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700457)

while I brush my teeth
while I pee
while I pleasure myself
while I do my calisthenics
while I blow my nose

Those all sound perfectly normal, but:

while I listen to the Backstreet Boys.

Jesus! What kind of freak are you, anyway?

Re:why internet connected? (4, Insightful)

Sarten-X (1102295) | about a month and a half ago | (#47700407)

This is utterly ignorant.

Many (if not most) healthcare providers in the US are affiliated with a larger organization, such as Community Health Systems. The branch offices need to have access to patient data from other affiliated providers, and given that this includes emergency rooms and other urgent-care facilities, the information must be available as quickly as possible. Physical separation is not a reasonable option.

Re:why internet connected? (5, Insightful)

Sabbatic (3389965) | about a month and a half ago | (#47700649)

Kind of ignorant to assume that such information sharing, which is only about 25 years old, is so absolutely vital that anyone who questions it is foolish. I don't recall vast numbers of people dying in ER's across the country pre-internet as opposed to post. It's useful, no doubt, and saves some lives, but if the data can't be handled responsibly, it's reasonable to ask whether the benefit is worth the cost of exposing millions of people to massive breaches of privacy and risk of identity theft. In any event, since you have positioned yourself as knowledgable about emergent care, I can assume that you are fully aware that the quick life-and-death decisions in ER's happen more quickly than would allow for a read-through of someone's medical history. In fact, too much data has been shown to lead to more misdiagnoses in ER's.

Re:why internet connected? (1)

ColdWetDog (752185) | about a month and a half ago | (#47700747)

This is most likely billing info. Until healthcare is free, you're going to have billing info. No way around it. The clinical info isn't really useful to your common crook - hard to make a buck out of knowing who has herpes since the pharmaceutical companies have already gleaned that information by paying your local pharmacist to tell them (legal and lucrative).

So, it's the old name, rank and social security number routine.

Re:why internet connected? (1)

msauve (701917) | about a month and a half ago | (#47702159)

"the pharmaceutical companies have already gleaned that [personal info on who uses what drugs] information by paying your local pharmacist to tell them (legal and lucrative)."

Prima facie, that seems to be a HIIPA violation. Cite supporting your statement?

Re:why internet connected? (1)

mrchaotica (681592) | about a month ago | (#47703753)

It's not a HIPAA violation because it's "aggregated and anonymized" (but we all know how easy it is to de-anonymize that kind of thing...).

I've heard it first hand from somebody who works at a medical billing software company (not going to be more specific for employment reasons, sorry).

Re:why internet connected? (1)

msauve (701917) | about a month ago | (#47704053)

The claim was "knowing who has herpes..."

That doesn't fit with "aggregated and anonymized" regardless of your unsupported claim that such info is easily de-anonymized.

Re:why internet connected? (1)

mrchaotica (681592) | about a month ago | (#47704385)

regardless of your unsupported claim that such info is easily de-anonymized.

  1. 1. A huge amount of de-anonymization research is being done these days (both academically and by companies like Google, Amazon, etc.)
  2. 2. Medical billing companies are trying to maximize profit, so they aren't going to put much effort into preventing de-anonymization (i.e., they're going to do the bare-minimum to be plausibly HIPAA-compliant).

Given the above, I think the idea that such info might not be easily de-anonymized is the extraordinary claim that needs support!

Re:why internet connected? (1)

msauve (701917) | about a month ago | (#47704529)

Logic fail. You're begging the question.

1. There's a huge amount of research on fusion power.

2. There's a lot of profit to be made from low cost energy.

From that, your logic would claim that fusion reactors are providing power worldwide.

Re:why internet connected? (1)

mrchaotica (681592) | about a month ago | (#47704707)

Excuse me. I guess I should have said "successful research" -- like this [dataprivacylab.org] (which is a study about a system that specifically was able to de-anonymize patient medical records!):

"Often organizations release and receive medical data with all explicit identifiers, such as name, address, phone number, and Social Security number, removed in the incorrect belief that patient confidentiality is maintained because the resulting data look anonymous; however, we show that in most of these cases, the remaining data can be used to re-identify individuals by linking or matching the data to other databases or by looking at unique characteristics found in the fields and records of the database itself."

Granted, it does go on to say "when these less apparent aspects are taken into account, each released record can be made to ambiguously map to many possible people, providing a level of anonymity which the user determines," but I see no reason whatsoever to expect that any actual medical billing software company would spend that extra effort. In fact, the quotation itself says that's exactly what happens!

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47702815)

Free... right...

Wake up..

isp "vpn". Social security numbers (1)

raymorris (2726007) | about a month and a half ago | (#47700755)

Their ISP would be more than happy to set up each hospital and office building with a "dedicated virtual circuit", which is basically a VPN handled and enforced by the ISP using their carrier-grade equipment. The ISP will ensure that the black network can't access the internet (and the internet can't access the black network). One thing ISPs can do pretty well is take AWAY your internet access. All systems with confidential data are connected only to tge bkack network, which interconnects the various locations.

You do NOT need each workstation to have general internet access in order to connect them to your (virtual) WAN.

Additionally, the various workstations shouldn't have access to social security numbers anyway, even via the local network. Unless you're the social security administration or the IRS, you probably shouldn't be storing social security numbers. If some specific legacy system really has to have social security numbers, isolate that system behind a one-way trapdoor. It shouldn't have general internet accessibility.

Re: isp "vpn". Social security numbers (0)

Anonymous Coward | about a month and a half ago | (#47700777)

The real issue is the omnipotence of SSNs.

VPNs don't solve this on their own (4, Interesting)

dutchwhizzman (817898) | about a month and a half ago | (#47701079)

Disclosure: I'm a professional Penetration Tester

We find plenty of this sort of setups at our customers. Customers set up VPNs, have a password policy and a virus scanner. They have firewalls and keep user policies restricted. Then we come and we trojan someone, or find a weak WiFi password or whatever we use to get a foothold inside their network all it takes is one little mistake and we're "in". Once we get there, we log keyboards, get password hashes from network or system memory and start to pivot all over the place. Usually, our software will trigger virus alerts, but staff doesn't react to those "in a timely fashion" and we get to keep going even though alarms are going off on several computers. We could cloak our malware and sometimes we do, but usually it's too much trouble and we get domain admin passwords within a few days and rule the network in such a way that admins wouldn't be able to get rid of us if we would rootkit and backdoor properly.

It takes more than some policies and a VPN these days. You need IDS, proper procedures, layered security and skilled, motivated staff that knows how to deal with security incidents. You need properly trained and aware users that aren't afraid to admit they messed up and that have no problem reporting others doing wrong either. Don't trust on a single technical measure, but implement them all and make sure you test and train on a regular basis. Get a data classification policy and protect data according to that policy. That means that stuff like SSNs and anything that can be used for identity theft should get extra layers of protection and alerting implemented. If you don't do all this, a serious intruder will usually get what they want.

Re:VPNs don't solve this on their own (0)

Anonymous Coward | about a month and a half ago | (#47701211)

Your second paragraph is interesting because I bet NO company (none at all) would implement all those procedures today. Definitely not a hospital.

Disposable identities would be a nice solution.

Re:VPNs don't solve this on their own (1)

electrosoccertux (874415) | about a month and a half ago | (#47701439)

I'm sure the GOVERNMENT would (don't worry you can trust us)

Joe Biden for 2016! (0)

Anonymous Coward | about a month and a half ago | (#47702057)

Joe Biden is a square shooter. Joe Biden for 2016.

Re:Joe Biden for 2016! (0)

Anonymous Coward | about a month and a half ago | (#47702363)

We need to hurry up and elect Joe so he can ultimately retire as the CEO (aka Sugar Daddy) of Amtrak.

Re:VPNs don't solve this on their own (4, Insightful)

JDG1980 (2438906) | about a month and a half ago | (#47701989)

You need properly trained and aware users

In other words, we're doomed.

Re:VPNs don't solve this on their own (3, Informative)

jbmartin6 (1232050) | about a month and a half ago | (#47702389)

I work the other side of this scenario, and while you are right for the most part (IDS technology sucks and should never be used) what you describe is an elaborate and costly setup that a minority of organizations could implement and even fewer could do effectively. It seems to me that a much more effective approach would be to limit the value (i.e. risk) of the information available to an attacker. Instead of taking extra measure to protect SSNs, ask if we even need to store them at all. I've seen a lot of incidents where I had to ask things like 'Why does this database have all this information in it when you only need three fields?' I'm not saying we should simply accept intrusion but vulnerability is infinite so moving to reduce the value of an intrusion to reduce the reward for attackers might be more effective than fruitlessly striving for perfect defense.

true, but funny you went there (1)

raymorris (2726007) | about a month and a half ago | (#47702599)

What you say is true, but it's funny in a way that reminds me of something I'd do.

Ac: They shouldn't be connected to the internet.
            -> Sarten-X: They need to be connected to the internet in order to be connected to each other.
                    -> raymorris: They can be connected to each other without being connected to the internet.
                            -> dutchwhizzman: Paragraphs of unrelated commentary

Re:why internet connected? (2)

chooks (71012) | about a month and a half ago | (#47702005)

In fact, too much data has been shown to lead to more misdiagnoses in ER's.

Citation needed

What type of data are you talking about? Lots of largely irrelevant lab data? (oh look...an elevated ESR!) Or is it historical data (Why yes Doctor, I do have a metal plate in my head. Is that bad for an MRI?)

The clinical history is one of the most powerful diagnostic tools available. Even in the ED.

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700661)

This is utterly ignorant.

Not as much as putting this information on the internet for any hacker to steal is ignorant.

There are other ways. Use them. Lack of proper system design is not an excuse.

Re:why internet connected? (1)

forand (530402) | about a month and a half ago | (#47700731)

Why can't they us a VPN AT LEAST? The GP is not ignorant but perhaps too idealistic. Personally while I don't think it is a good idea to have health records available on the internet I think it is far worse that our electrical system REQUIRES internet access and communication between various points. This is a horrible national security risk while private health records are rather difficult to either monetize or use (financial records excluded).

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700417)

What were such systems doing connected to the public internet?

Working to connect disparate locations through a commonly available communications infrastructure.

You reap what you sew.

A kilt?

Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

Great. Then to make that useful, you'll need a standardized system for it to work. And the US can't even manage to standardize the IDs.

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700667)

Working to connect disparate locations through a commonly available communications infrastructure.

I've highlighted the problem.

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700879)

Yeah, good luck funding the construction of a secure and independent infrastructure for your hospitals.

Nobody's going to sign off on that money pit.

Re:why internet connected? (1)

Anonymous Coward | about a month and a half ago | (#47700443)

You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation

The problem is that so many of these large networks are stitched together from disparate systems that can't easily be cut apart without causing the whole thing to unravel. It looms ever larger as legacy hardware and software must continue to be interwoven with new technology, so much so that it warps the mind even to consider trimming back what might consider to be a loose thread.

Really, to properly harvest the gains of modern security it's probably essential to throw out the old pattern and tailor an approach that best fits the given surface area.

Re:why internet connected? (1)

Streetlight (1102081) | about a month and a half ago | (#47700537)

Even if the systems are not connected to the public Internet, given enough money, someone connected to the systems with proper security clearance and access, could put the data that was stolen, and more, on to thumb drives, DVDs, or whatever. Snowden apparently wasn't paid for the enormous amount of data he purloined and didn't need the internet. Not so sure how protected the data was secured from the public internet, but it didn't matter.

Re:why internet connected? (1)

Sabbatic (3389965) | about a month and a half ago | (#47700613)

So? Pretty much any security measures on anything can be compromised eventually. That doesn't mean they aren't worthwhile. The sort of operation that Snowden pulled off is much harder and rarer than some random group of hackers on the other side of the world taking shots at a system at their leisure.

Re: why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700669)

You mean like MyGov inAustralia?

Re:why internet connected? (0)

Anonymous Coward | about a month and a half ago | (#47700713)

Because doctors inside and outside of the hospital system share information

You X-rays, blood tests, MRIs, etc etc etc are all digital these days and so they are uploaded to you GP as part of the consult

Re:why internet connected? (2)

ColdWetDog (752185) | about a month and a half ago | (#47700737)

What were such systems doing connected to the public internet?

You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

They weren't on the 'public' Internet. They got hacked. Why was this stuff even on the network? Excellent question. The quick answer is that the hospital would like to get paid. So they have to create claims. Claims these days are electronic, little to no paper. The claims have to be sent from the hospital to the insurance companies -- through a network. And that network is .... the Internet.

Yes. hospitals could just go back to point to point dialup but that's not very convenient. They most likely had firewalls and other fancy things to prevent this sort of thing from happening but got caught either mis configuring something or more likely, fooled some witless employee into divulging something they shouldn't have. And before you get all high and mighty about this sort of thing, stop and reflect that the next witless employee might well turn out to be you.

Re:why internet connected? (1)

JustOK (667959) | about a month and a half ago | (#47701669)

It's reap what you sow.

Re:why internet connected? (1)

msauve (701917) | about a month and a half ago | (#47702201)

It's rip what you sew. :-)

Re:why internet connected? (1)

Muad'Dave (255648) | about a month and a half ago | (#47702607)

You reap what you sow. You sew garments, you sow seed.

Re:why internet connected? (2)

jellomizer (103300) | about a month ago | (#47702945)

You do not work in health care do you.

So when you get registered at the Hospital. Your data will electronically get sent to the Electronic Medical Record system, which then will be sent to the Lab Systems, and back, Then all this data gets fed into a billing system which then needs to electronically send this data to the insurance company to be billed. Now we also new regulations called Meaningful Use, and one of them is the ability to Send Electronic Medical Data to the Patient in less then 72 hours of the request. To meet this requirement most places have setup a Patient Portal, where the Patient can Login via the Web and get their access.

For proper treating of patients the data needs to get sent to professionals who needs it, they may be in different locations around the world.

So the government is telling Health Care industries to lock down PHI and make it more Open at the same time.

Sophisticated malware? (0)

Anonymous Coward | about a month and a half ago | (#47700345)

Installed by unsophisticated users?

Highly sophisticated malware used to attack system (1)

lippydude (3635849) | about a month and a half ago | (#47700367)

'Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems.'

That would be a msOffice document sent as an email attachment ..

Re:Highly sophisticated malware used to attack sys (1)

ColdWetDog (752185) | about a month and a half ago | (#47700759)

"..ICE patterns formed and reformed on the screen as he probed for gaps, skirted the most obvious traps, and mapped the route he'd take through Sense/Net's ICE. It was good ICE. Wonderful ICE... ...His program had reached the fifth gate. He watched as his icebreaker strobed and shifted in front of him, only faintly aware of his hands playing across the deck, making minor adjustments. Translucent planes of color shuffled like a trick deck. Take a card, he thought, any card.

The gate blurred past. He laughed. The Sense/Net ice had accepted his entry as a routine transfer from the consortium's Los Angeles complex. He was inside. Behind him, viral subprograms peeled off, meshing with the gate's code fabric, ready to deflect the real Los Angeles data when it arrived."

William Gibson

HIPAA Compliance (1)

MarkvW (1037596) | about a month and a half ago | (#47700415)

I sure hope the hackers comply with HIPAA. They sure will be in a lot of trouble if they don't.

Re:HIPAA Compliance (4, Informative)

Anonymous Coward | about a month and a half ago | (#47700473)

That is a very common misunderstanding. HIPAA only applies to "covered entities." That includes healthcare clearninghouses, health plans, and healthcare providers that transmit your information electronically. For example, the hospital I work for accidentally put thousands of records on a public web site, but because we didn't at the time transmit that information electronically to others as a normal part of our business, it wasn't a HIPAA violation. Another example is a collection agency. HIPAA doesn't apply to them either. HIPAA only protects your information in a small number of the use cases.

Justification (1)

Charliemopps (1157495) | about a month and a half ago | (#47700493)

"They used sophisticated malware!"

What a joke. And let me guess, they're offering free credit monitoring for up to a year! It's completely inexcusable that they waited over a month to report this. I hate to see the feds get involved in anything, but this is getting ridiculous. These incidents should result in fines in the tens of millions, minimum. Then they'd take security seriously. Most serious security efforts aren't even all that expensive. It's getting all the people and systems in compliance that's the issue.

This can't have happened. (1)

Richy_T (111409) | about a month and a half ago | (#47700497)

We have had a huge amount of government regulation in place for years. This must be lies or a simple misunderstanding.

Scuse me, I think I dropped my sarcasm tag.

Re:This can't have happened. (1)

50000BTU_barbecue (588132) | about a month and a half ago | (#47700561)

You're right, a for-profit only company would never have cut costs to the IT department. Nope.

Re:This can't have happened. (1)

jbmartin6 (1232050) | about a month and a half ago | (#47702329)

What does "for profit" have to do with cutting costs or other IT failures? Are you claiming that the "not for profit" or "non profit" hospitals are more diligent?

Re:This can't have happened. (0)

Anonymous Coward | about a month ago | (#47703517)

CHS has actually been spluffing huge amounts of stimulus money on "meaningful use" fluff IT projects. Cost cutting is most certainly not any realistic reason.

Steal?? (1)

Anonymous Coward | about a month and a half ago | (#47700557)

The hospital still has the records right? There is no missing property, right?

Re: Steal?? (0)

Anonymous Coward | about a month and a half ago | (#47700905)

Exactly!!

It is all 1s and 0s man. It isn't stealing because no oone lost anything.

Information wants to be free!

Re:Steal?? (0)

Anonymous Coward | about a month ago | (#47703703)

The hospital still has the records right? There is no missing property, right?

That's right. *mv* is theft, *cp* is not.

Some offense has occurred but it is not theft.

Nice contrast.. (1)

Rick in China (2934527) | about a month and a half ago | (#47700559)

with the story about 'doctor visits' over Skype, and how many posters were railing against how they were afraid of eavesdropping/decrypting of their Skype conversations. Where are they now! :D

Re:Nice contrast.. (2)

stephanruby (542433) | about a month and a half ago | (#47700959)

with the story about 'doctor visits' over Skype, and how many posters were railing against how they were afraid of eavesdropping/decrypting of their Skype conversations. Where are they now!

These days, most of them are currently in China getting free medical advice and racking medical bills over Skype.

Poorly designed systems & poor security (0)

Anonymous Coward | about a month and a half ago | (#47700707)

This isn't a problem specific to the medical arena, but a larger problem nobody wants to face up to.

We need to change the way we design and implement software and technology in general. It is utterly ridicules that the same systems we're using to play games on are utilized for storing sensitive information. While it make sense that much of the code can be used in both places it doesn't mean it always should be particularly when it wasn't intended for highly secure environments.

Certainly there should be multiple experts designing systems, reviewing code, and prioritizing security above all else with regular third party audits along the way. This includes at the hardware level. There is no good reason we shouldn't design and manufacture some hardware within the United States utilizing people with security clearances. Nor is there an excuse for not having designed secure interfaces (ie USB sucks from a security perspective- at least that is you can't trust random hardware). There is no good reason every device should be dependent on proprietary firmware. Any firmware that exists should be open, audited, and written from the ground up with security in mind. The BIOS and other components should be no exception. Every piece of firmware should have write-protection too. There shouldn't ever be a place where malicious software can hide in the event that the OS needs to be wiped clean (due to potential security threats).

USB devices are a security risk period. Any device which a facility connects should come with a chain of evidence from the manufacturing plant to the warehouse to the medical facility itself. Anything short of this is negligence when you have so much data in one place and readily accessible.

You can't allow users to connect ANY USB device themselves (like a USB flash drive). Such devices can be manipulated and are by there very nature are untrustworthy.

joke's on them (1)

slashmydots (2189826) | about a month and a half ago | (#47700859)

Ha ha ha, I haven't been to the doctor in over 5 years. Joke's on you, bitches. Technically I worked at a hospital though.

The Case for Paper Records (0)

Anonymous Coward | about a month and a half ago | (#47701295)

Having thought about this issue for a while, my conclusion is that much of these risks could be nearly eliminated if these systems only stored "non-identifiable" information and left the identifiable stuff to paper.

This ought to work pretty well since the times we need to access identifiable information are pretty rare. Everyday medical processes don't need things like your exact date of birth, your SS# or even your address. They need a unique identifier to tie all of your medical records together but that identifying stuff tends to be write-only.

I propose that identifiable information be committed to paper files and then indexed by a "health id" - so that 1 in a 100 time that they need your phone number, they can walk over to the filing cabinet and pull out the piece of paper with your phone number on it.

I'm not saying a "paper firewall" is perfect, it absolutely will be less convenient but not burdensomely so if we design the system intelligently. Meanwhile, what we have now ain't working all that great either -- Stealing a filing cabinet is 1000x harder than copying some data across the net from the other side of the planet.

In other words... (0)

Chas (5144) | about a month and a half ago | (#47701349)

They SQL-injected Healthcare.gov and received a dump of everything that hasn't been purged out of the system since the last purge.

Some IT security jobs available at CHS now (0)

Anonymous Coward | about a month and a half ago | (#47701479)

http://www.chs.net/careers/job-opportunities/career-opportunities/corporate-office-opportunities/

Wonder how many people where fired over this. Didn't see any manager positions so the peons most likely took the fall instead.

CHS Locations (1)

HangingChad (677530) | about a month and a half ago | (#47702261)

Here's the list of Community Health Systems locations [chs.net] in case you've been to the hospital recently. Fortunately they don't have any in our area.

Re:CHS Locations (0)

Anonymous Coward | about a month and a half ago | (#47702371)

Here's the list of Community Health Systems locations [chs.net] in case you've been to the hospital recently. Fortunately they don't have any in our area.

they specialize in rural areas where they may be the only hospital for hundreds of miles. they typically stay out of urban areas... at the time I was there, their biggest hospital was in Birmingham, AL......not exactly a LARGE city.

Metaphoric Misery (0)

Anonymous Coward | about a month and a half ago | (#47702271)

There was no theft. It is not stolen if you still have it.

In 'geek speak':

      mv is theft.
      cp is not.

You might as well say a photograph steals your soul. :-)

They are late to the party (1)

jbmartin6 (1232050) | about a month and a half ago | (#47702353)

Given that the hospital's information is shared with all sorts of insurers, coding and transcription services, government agencies, services that comb the records looking for more insurance claims or more profitable claims, and so on, I have to say that these guys came really late to the party.

Info from someone who used to be there (1)

Anonymous Coward | about a month and a half ago | (#47702357)

Disclaimer... i worked at CHS for a few years in the engineering department....there was a separate department responsible for security and theoretically they were the ones responsible make making sure that everyone was following proper security standards...

...but the catch, is that they really weren't. The organization regularly used open shares because that's what the "applications" required. One app in particular was called ProMED. during the time I was there, this app was loaded in almost every Emergency Department. The way it worked was that the promed server (a physical windows server housed inside the hospital) had a 100% open share (everyone read/write/modify). the computers around the ER would then be logged into by users and the entire application would copy to the workstations and then write logs and other crap directly back to the open. The actual patient data was written to the server using an app specific user/pass for each user, so the user still had to authenticate to get into promed. To make things even worse, the promed server service accounts used the same password in all of the hospitals and were set to auto-login, because that was the only way that the application would launch. if you RDP'ed into one of the servers as your own account, it would hose that hospital's ER workstations because the application would kill itself and then relaunch using your own credentials........what? further, since they were using open shares (that we in engineering constantly told them were bad), they had problems for YEARS with worms spreading. What were we told when we told them that they couldn't have open shares? that this was the software we were going to use and that there was nothing we could do about the open shares since the vendor wouldn't support their software in any other configuration.

shall we dig deeper? sure!

workers at CHS are so underpaid that it doesn't shock me at all that no one gave a shit. I know that I didn't when I was there. I gave my 40 hours every week and got out. the good ole boy system is alive and well at CHS. there was an official procedure to do everything, which DID entail including someone from the TAVM and security teams to evaluate new hospital apps, but if whoever the app owner was was connected well enough, they could implement whatever they wanted.... a complete end-around of any red-tape.

i haven't heard from any of my friends that still work there, so I don't know which applications were actually hacked. my bet is that the 4.5 million is an overstatement. CHS isn't cohesive enough to have the all same apps deployed in all of their hospitals...most apps only had about 20-25% penetration of their hospiatls. ProMED is the only one that I'm aware of that was actually deployed that widespread. They were also working on using the Cerner suite of apps to replace several of the other apps, like HPF and Meditech...they were actually talking about using it to replace ProMED at one point. I'm unsure of that the newly acquired HMA hospitals were using. Last year, CHS purchased 80 or so hospitals from a company called HMA, based out of florida.

List of their hospitals. (0)

Anonymous Coward | about a month ago | (#47702957)

http://www.chs.net/serving-communities/locations/

Here is a list of all the hospitals that fall under their service.

Bad system design (0)

Natales (182136) | about a month ago | (#47702963)

First, SSNs themselves should not be "stored" in any database. They should be used dynamically for initial patient validation and stored as a salted hash. For that matter, you can do the same with DOB and other key identifiers that are not required for anything but for validation. Use an internal patient number as index for everything else. Second, use MAC (Mandatory Access Controls) for any app or microservice attempting to access specific portions of data. Any unauthorized attempt to access a record should be logged, and if you really want to catch the bad guys, do a transparent session forward to a honeypot with a fake database. Third, use 2 factor authentication for any remote access to the data. Fourth, all internal systems should run virtualized and accessed over VDI, no data on laptops, ever. Is it really that hard?

Re:Bad system design (0)

Anonymous Coward | about a month ago | (#47703107)

First, SSNs themselves should not be "stored" in any database. They should be used dynamically for initial patient validation and stored as a salted hash. For that matter, you can do the same with DOB and other key identifiers that are not required for anything but for validation. Use an internal patient number as index for everything else. Second, use MAC (Mandatory Access Controls) for any app or microservice attempting to access specific portions of data. Any unauthorized attempt to access a record should be logged, and if you really want to catch the bad guys, do a transparent session forward to a honeypot with a fake database. Third, use 2 factor authentication for any remote access to the data. Fourth, all internal systems should run virtualized and accessed over VDI, no data on laptops, ever. Is it really that hard?

which is all easy to claim if you 100% control the software solutions. most hospitals are using prepackaged software suites from major vendors. user info is in so many different applications..........none of which CHS actually controls the code to. if patient data is being stored unencrypted, yes CHS is partially to blame for picking the vendors, but vendors like Mckesson, meditech, cerner, promed, allscripts, etc should be even more to blame.

Patient Identification (1)

Ronin Developer (67677) | about a month ago | (#47703305)

Our gov't allowed SSNs to be used in all sorts of capacities since, I think the 1980's. I still have my SSN card which says "Not for Identification" - yeah...that old...issued in the 60's. Congress changed the rules and put us all in jeopardy by allowing SSNs to be used as a personal identifier.

How pervasive is it?

Want to write a letter to a military service member? Well, don't forget to add their SSN to the address. The military now uses SSN as the service number...it's in printed on the envelop of every letter to every military member.

Are you a student? It's likely your student identification number.

Shopping at the grocery store? Just you wait for them to ask for it...it's coming.

Hospitals do need the SSN because they become creditors and may need to supply information for disability and death claims. But, why is it needed as a patient identifier? Billing should be separate from patient records.

What we really need is a something like OAutht access to our record (which should be encrypted). Granting access to this data should also require 2 factor authentication at the very least. The encryption keys should be kept in another secure system requiring extreme protocols to obtain a single one.

Who should maintain the patient id and records databases? Who should maintain the keys to access the encrypted data? Not sure. But, whoever figures it out and implements it is going to make a fortune.

Insecure systems or human error. END OF LINE. (1)

Miser (36591) | about a month ago | (#47703681)

It's either insecure systems or human error, or a combination of both that allowed this breach in my opinion. Why oh why most (not all) IT companies use the lowest common denominator or put things in for "ease of use" instead of "security" ? Folks need to start standing up to these sociopaths (the non-technical people in control) and set things up like they should be - SECURE.

They should be using locked down, secure systems (IBM Mainframes with security systems on top?) and two factor authentication. Does it make it a bit harder for the mouth breathers to log in? Perhaps. But I'd take that over these constant breaches we seem to be having. Fine the companies into the ground to the point that they have to go out of business (or have another company perhaps take them over so the actual healthcare WORKERS (not CEOs and other overpaid folks) keep their jobs).

Perhaps I'm rambling a bit but I hope you get my point.

Cheers,

Miser

They belive it was Chinese (1)

future assassin (639396) | about a month ago | (#47703889)

just another boogie man to add to the list when the current terrorist hysteria doean'st work anymore. We need to lock down the nation so those Chinese hackers can't steal your computer souls. Forget the fact that some idiot let the computers get infected with malware in the first place...

How do you know it was Chinese, just because it came form an IP originating in China?

Your children should know this (0)

Anonymous Coward | about a month ago | (#47704437)

China is America's no. 1 enemy.
Economic and military war are on the horizon.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?