As I described earlier this week on the Tripwire State of Security blog, hackers broke into the computer network of Community Health Systems (CHS), and stole personal data related to 4.5 million patients.
The hackers, who struck in April and June this year, are feared to have accessed details of individuals who were referred for or received services from doctors affiliated with the CHS hospital group in the last five years.
CHS worked with Mandiant, a division of security firm FireEye, to investigate the attack and the finger of suspicion (somewhat predictably) got pointed towards China.
Now, claims have been made that the attack was orchestrated with a little help from the notorious OpenSSL Heartbleed vulnerability.
According to TrustedSec, the Heartbleed vulnerability was the initial attack vector used by the hackers to gain entry to CHS’s network.
Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.
From here, the attackers were able to further their access into CHS by working their way through the network until the estimated 4.5 million patient records were obtained from a database.
Sadly, details (as with CHS’s initial announcement) are scarce, and TrustedSec merely says that it was told the information by a “trusted and anonymous source close to the CHS investigation.”
Here is the interesting thing.
Heartbleed became public knowledge in April, and technology companies around the world rushed to push out fixes – Juniper amongst them. The latest update in Juniper’s knowledgebase related to its patching against Heartbleed is dated May 6th.
So, if Juniper had a patch against Heartbleed by May, how come CHS got hacked via a vulnerable Juniper device in June?
The answer is simple: Patching is really hard. With the best will in the world, many organisations struggle to roll out patches and update systems in a timely fashion to deal with the latest vulnerabilities.
But breaches like the one that occurred at CHS prove that IT teams must be given the resources and backing by senior management to fix vulnerabilities when they become known about in a timely fashion, or risk making bad news headlines and putting millions of customers at risk.