In mid-August, healthcare provider Community Health Systems announced that its computer system had fallen victim to an attack. The security incident, which took place in April and June, was an external criminal infiltration by an advanced persistent threat group based in China, The Wall Street Journal reported.
Community Health Systems, which operates 206 hospitals across 29 states, consulted cybersecurity firm Mandiant after discovering the attack. The data protection company determined that the likely cause of the attack was the advanced persistent threat organization. The group reportedly leveraged a considerably sophisticated malware sample to breach the healthcare provider’s internal systems.
The infection allowed hackers to sidestep all security measures present on Community Health Systems’ infrastructure, enabling them to copy and transmit sensitive information to an outside receiver. The data compromised in the attack includes the names, addresses, birthdates, phone numbers and Social Security numbers of the hospitals’ patients. While no financial information was breached, the details transmitted by hackers are more than enough to commit a whole host of fraudulent activities, including those connected with identity theft.
“Anytime you have Social Security numbers flying around, that’s never a good thing,” noted Blake Wiedman of The Crichton Group. “That’s one of the most severe losses.”
All told, cybercriminals were able to access the information of an untold number of patients, all of whom received treatment from Community Health Systems or were referred there in the past five years, according to HealthIT Security.
HIPAA violation requires mass notification
Although details are still emerging and officials are unsure of just how many patients’ information was breached, Health IT Security noted that the incident constitutes a violation of HIPAA, the Health Insurance Portability and Accountability Act. Therefore, Community Health Systems was required to notify all of its patients – 4.5 million of them.
The Office of Civil Rights database research found that the Community Health Systems incident was the second largest HIPAA breach ever. The Nashville Business Journal noted that this is second only to the 2011 breach of Tricare Management Activity, which impacted 4.9 million.
Advanced persistent threat group
HealthIT Security noted that once the advanced persistent threat group’s malware was discovered, Community Health Systems took steps to immediately remove it from its network. The healthcare provider’s third-party security firm noted that previously, the APT organization also sought to steal other intellectual property, including data connected with medical devices. Thankfully, this information wasn’t breached during the attack.
According to Symantec, advanced persistent threats utilize a typical set of phases to infiltrate a network, prevent being detected and take as much information as possible over a long period of time. These steps include:
- Reconnaissance: In the first phase, hackers gather information to better understand their target.
- Incursion: Next, the attackers penetrate the target network through specialized malware delivered via social engineering to certain exploitable systems or employees.
- Discovery: After breaking in, the goal of an advanced persistent threat is to remain within the system undetected for as long as possible. Once they’ve infiltrated the system, these threats leverage several parallel kill chains to prevent being uncovered.
- Capture: At this point, cyberthieves utilize their undetected position to actually steal the information they are after. Attackers also might deploy additional malware to make off with sensitive company data and interrupt business processes.
- Exfiltration: Once the targeted data is captured, hackers transmit the details outside the organization to a location under their control.
According to Trend Micro and ISACA’s Advanced Persistent Threat Awareness report, while APTs were once thought to only attack federal organizations, breaches in other sectors have demonstrated that this is a large-scale issue that can impact a number of different sectors. Furthermore, although 53.4 percent of businesses don’t think APTs differ from conventional system security risks, 63 percent noted that it is only a matter of time before their organization falls victim to an APT attack.
Protecting data from advanced persistent threats
There are certain strategies organizations can leverage to prevent being targeted by an advanced persistent threat. The Trend Micro survey found that right now, almost 60 percent of companies believe they are prepared to deal with an APT attack due to the security measures they have in place. These can include a range of protections, but the majority of businesses leverage monitoring systems, anti-virus and anti-malware software, network technologies like firewalls, and sandboxes. In addition, many organizations also have safety protocols in place to prevent APT intrusion from mobile locations, including endpoint controls, remote access technology, mobile anti-virus and mobile security gateways. Additional controls like network segregation and more focus on email security and user training are also helpful, Trend Micro noted.
Overall, being aware of the risk advanced persistent threats can pose bolsters the ability to prevent such attacks.
“[APTs] are different from traditional threats and need to be considered as a different class of threat,” the Trend Micro ISACA report stated.