Since the initial report of the Community Health Solutions breach, in which attackers hacked into the CHS network to gain personal data of a whopping 4.5 million patients, details of the hack are emerging.

heartbleedAccording to security firm TrustedSec, owned by David Kennedy, “a trusted and anonymous source close to the CHS investigation” has confirmed that the initial attack was the result of a Heartbleed vulnerability.

By exploiting the now well-known OpenSSL vulnerability known as “Heartbleed”, attackers were able to glean user credentials from memory on a Community Health Solutions Juniper device.  They used these credentials to login via a VPN.  Once inside, the hackers used malware and other technology to obtain even more of the patient data.

As TrustedSec’s release highlights, “This is the first confirmed breach of its kind where the Heartbleed bug is the known initial attack vector that was used.” And although it’s been over four months since the initial news about Heartbleed vulnerability was made public, as long as vulnerable versions of OpenSSL are still in use, it can be abused.

The process of stopping the Heartbleed “leak” hasn’t really changed – any occurrence of OpenSSL must be patched.  The challenge is that OpenSSL is used pervasively and not all vendors may have offered patches.  See, for example, “Heartbleed’s Mitigating Effects on Networked Medical Devices” (read it here), which highlights challenges of patching medical devices that are in use.  In cases where a fix has not yet been made available by the vendor, other mitigation steps will be necessary.

Multiple security vendors, including Eagle Consulting Partners, offer scanning tools and services to identify occurrences of the Heartbleed vulnerability.  Eagle can conduct a vulnerability analysis which scans all network devices to identify this vulnerability.  Call for details.

Pin It on Pinterest