The personal information of more than four million patients may be at risk after an attacker hacked into the computer network of hospital operator Community Health Systems sometime in April and June, according to reports.
The Tennessee-based company announced on Monday that names, addresses, birthdates, phone numbers and Social Security numbers may have been compromised, a Monday Associated Press (AP) report indicates.
Community Health Systems owns, operates and leases 206 hospitals in 29 states – including in California, Florida, New York and Texas – and the possibly compromised data relates to patients who were seen by doctors associated with the organization, according to the AP report.
The attacker is believed to be Chinese and used malware to compromise the Community Health Systems computer network, the AP report indicates, adding that the malware has since been removed and other measures are being taken to prevent any similar incidents from happening again.
Further details are sparse, and Community Health Systems did not respond to multiple SCMagazine.com requests for information.
In a Monday email correspondence, Larry Whiteside, CISO with Lower Colorado River Authority, told SCMagazine.com that one possible attack vector is credentials being stolen in a phishing incident, which he explained would give the attacker remote email access.
“Then that attacker [could have] used that legitimate email to send malware to people internally from a “trusted” user,” Whiteside said. “Those users [may have] unknowingly opened that trusted email and attachment, or URL, and became infected with malware.”
Another possible scenario could have involved the use of a malware-infected USB device being connected to a computer on the network, Whiteside said, explaining that, either way, the attacker was likely able to get credentials to someone with access to the electronic medical record system.
The whole incident underscores a lack of focus, authority and priority given to security in healthcare, particularly because the people responsible for security in the industry are buried in the organization and not treated as executives, whose words and ideas carry weight, Whiteside said.
So, then, how should health organizations be approaching security?
“First, assess how much authority is actually given to the program,” Whiteside said. “Are they tied into strategic initiatives to include [mergers and acquisitions], or are they buried in IT, legal, [and] privacy with no real voice?”
He continued, “Next, develop a risk-based methodology to help prioritize your needs. Simultaneously, get to know your data, where it resides, how it's used, and who has access to it. Healthcare organizations have so many people that have a true need for access [to protected health information].”