Heartbleed Attack Linked To Community Health Systems Breach

Cybercriminals exploited the OpenSSL Heartbleed bug in a Juniper Networks device, resulting in a massive data breach at Community Health Systems Inc. that could impact up to 4.5 million patients.

The attack originated in China and used highly sophisticated malware, according to Community Health Systems, which provides management, consulting and information technology services for health-care providers. The company acknowledged the breach on Wednesday, indicating that its computer network was targeted by attackers in separate intrusions conducted in April and June. The stolen data includes patient names, addresses, birth dates, Social Security numbers, and, in some cases, telephone numbers, and the names of employers or guarantors, the company said.

Not all patients or doctors affiliated with Community Health Systems Professional Services Corp. (CHSPSC) are impacted by the breach, the company said.

[Related: Heartbleed: OpenSSL Vulnerability News And Analysis]

"CHSPSC has implemented efforts designed to protect against future intrusions," according to a company statement about the breach posted on its website. "These efforts include implementing additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies and requiring users to change their access passwords."

The United States Computer Emergency Readiness Team (US-CERT) said it is working with the FBI and the Department of Health and Human Services to gain information about the tactics used in the breach and provide guidance to other health-care providers to take precautions.

The initial attack vector is believed to be the OpenSSL Heartbleed vulnerability, targeted in a Juniper device, according to Strongsville, Ohio-based TrustedSec, citing an "anonymous source" close to the investigation. The security consultancy and solution provider, headed by security industry veteran David Kennedy, said the attackers were able to get user credentials from the memory of the Juniper device, which was vulnerable to the Heartbleed flaw at the time. The attackers used the stolen credentials to log into the corporate network through the Community Health Systems VPN, Kennedy said in a blog post about the security breach.

"This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used," Kennedy said. "There are sure to be others out there, however, this is the first known of its kind."

Security experts have warned that the dangerous flaw could be used by criminals to intercept passwords, user names and other sensitive information as the it crosses the corporate network. TrustedSec said that once inside, the attackers moved to the Community Health Systems database containing the patient records.

"What we can learn here is that when something as large as Heartbleed occurs [rare], that we need to focus on addressing the security concerns immediately and without delay," Kennedy said. "Fixing it as soon as possible or having compensating controls in place days before could have saved this entire breach from occurring in the first place."

The Canada Revenue Agency rushed to patch a web server containing the Heartbleed bug in April, after investigators there determined an attack exposed data affecting 900 Canadian citizens.

The OpenSSL Project issued a patch in April, repairing the vulnerability. The coding error in the open source encryption protocol impacted a variety of commercially available networking devices, including widely used firewall and VPN appliances from Cisco Systems, Juniper Networks and others. Juniper identified eight products containing the Heartbleed vulnerability and issued patches to customers.

These included Junos OS 13.3R1, along with certain versions of Juniper Network Connect, Junos Pulse and Odyssey clients versions 5.6r5 and later. Juniper's SSL VPN software also was impacted.

NEXT: Heartbleed Bug Had No Easy Fix, Say Solution Providers

A wide variety of other manufacturers issued security updates to repair their device firmware. Solution providers told CRN that they had been working with clients to assess their clients' networking gear and to help deploy patches. Security updates were more difficult than most, requiring administrators to revoke keys used to encrypt communication and redistribute new keys.

The biggest issue businesses faced was determining whether they were directly impacted by the bug, said Justin Flynn, a consultant and network security specialist with Chicago-based solution provider Burwood Group. In addition to advising clients, Flynn conducted a webinar to provide guidance on assessing systems and adding signatures to protect against exploits targeting the flaw. Even organizations that didn't have networking gear containing the flaw faced a potential risk from the threat by business partners that were directly impacted, Flynn said.

The Heartbleed flaw focused attention on open source projects, many of which are underfunded yet produce functioning software used in commercial products. The Hearbleed bug may have been contained in OpenSSL for two or more years, security experts said. Cisco was among about a dozen technology vendors backing a $3.6 million donation to the Linux Foundation to fund core open source infrastructure improvements beginning with bolstering OpenSSL.

Network complexity made assessments difficult for some clients, according to Jeffrey Hewson, a national sales director in the data networking group at Carousel Industries of North America. Hewson said many of the latest attacks highlight rising sophistication of attacks, with government-funded hacking and crime syndicates investing significantly in advanced threats.

"Networks are so much more accessible than they have ever been," Hewson said. "Attacks are significantly different because the people who were attacking before were going for notoriety, and they were not as well-funded as they are today."

PUBLISHED AUG. 21, 2014