What Healthcare Can Learn From CHS Data Breach


Slack & Davis attorney Paula Knippa offers this commentary on Community Health Systems’ recent data breach, as featured in the November 25, 2014, issue of Information Week.

——

What Healthcare Can Learn From CHS Data Breach
Security breach that exposed personal data on 4.5 million Tennessee healthcare system patients offers key lessons to prevent similar cyber attacks.

Tennessee-based Community Health Systems (CHS) disclosed in its Form 8-K SEC filing in August that its computer network had been hacked at least twice in April and June of 2014 through criminal cyber attacks originating from China. All healthcare organizations can learn from one health system’s breach.

CHS – which owns, operates, and leases 206 hospitals across 29 different states – confirmed that these hacking incidents resulted in the theft of non-medical, patient-identifying information of 4.5 million individuals who had, in the last five years, been referred to or received services from physicians affiliated with CHS. This information included patient names, addresses, birthdates, telephone numbers, and social security numbers.

Although CHS portrays the attacks as incidents in which hackers used highly sophisticated malware and technology to attack its system – and were thereby able to bypass its security measures to access the personal data of millions of patients – sources closer to the investigation have described a different scenario. According to these sources, CHS’s system was hacked through a test server that was never intended to be connected to the Internet at all. Because Internet connectivity was not contemplated, the security features that would – and should – be deployed in a live production server were not installed on the test server.

Unfortunately, sensitive VPN credentials were stored in the memory of the test server so, when it did become connected to the Internet, hackers were able to access the test server via the Heartbleed bug and obtain those VPN credentials. Hackers then used these credentials to access CHS’s system and steal millions of patients’ personal information. In a sense, it was as though CHS left the lights on and a note on the door, saying, “Hey, come on in. The key is under the doormat!”

Utterly voidable
In these days of seemingly daily reports of data breaches, the danger lies in the potential for complacency in those charged with overseeing the design, implementation, and maintenance of cyber-security measures to protect data that healthcare companies collect from their patients. In other words, those responsible for corporate leadership and governance in the area of cyber security will become passively resigned to the perceived “inevitability” of a data breach, instead of systematically – and systemically – reviewing and transforming the company’s cultural approach to cyber security and risk management.

For example, in this case, if cyber security had been ingrained as a paramount priority in the development, maintenance, and security teams at CHS, a “test” server would never have been loaded with valuable VPN credentials without the corresponding cyber-security features to prevent unauthorized access in the event that the server was ever connected to the Internet. If this is in fact how the data breaches occurred, this was an utterly foreseeable occurrence that could have been easily anticipated and guarded against.

What can healthcare learn?
The healthcare industry has developed – as it must – policies, procedures, and redundancies to protect patients from mistakes made in a medical treatment context. The same approach should be taken to protect patients’ personal identifying information. Healthcare organizations must conduct a thorough review of their cyber-security policies and procedures for their computer network and data systems from their initial development to their implementation, maintenance, and ultimately, retirement. They should then document these policies and procedures and bring in an independent third-party vendor to review them to identify any gaps or vulnerabilities that could be exploited by cyber criminals.

Having documented these cyber-security policies and procedures – and closed any gaps or vulnerabilities identified by a thorough, independent review – healthcare organizations should then monitor, on an ongoing basis, compliance by their employees and/or vendors with those documented policies and procedures. Incorporating cyber security as a core value in a healthcare organization’s culture is essential to minimizing, if not altogether eliminating, the risk of a data breach that damages not only the healthcare organization, but the patients who have entrusted their personal information to its care.

Paula Knippa, an attorney in the Austin office of Slack & Davis, represents clients in a range of litigation matters, including complex aviation and non-aviation business litigation, class and mass actions, as well as products liability and catastrophic personal injury.