Hackers Steal Data Of 4.5 Million US Hospital Patients

itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.

why internet connected?

[Anonymous Coward]

What were such systems doing connected to the public internet?

You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

Re:HIPAA Compliance

[Anonymous Coward]

That is a very common misunderstanding. HIPAA only applies to "covered entities." That includes healthcare clearninghouses, health plans, and healthcare providers that transmit your information electronically. For example, the hospital I work for accidentally put thousands of records on a public web site, but because we didn't at the time transmit that information electronically to others as a normal part of our business, it wasn't a HIPAA violation. Another example is a collection agency. HIPAA doesn't apply to them either. HIPAA only protects your information in a small number of the use cases.

Re:VPNs don't solve this on their own

[jbmartin6]

I work the other side of this scenario, and while you are right for the most part (IDS technology sucks and should never be used) what you describe is an elaborate and costly setup that a minority of organizations could implement and even fewer could do effectively. It seems to me that a much more effective approach would be to limit the value (i.e. risk) of the information available to an attacker. Instead of taking extra measure to protect SSNs, ask if we even need to store them at all. I've seen a lot of incidents where I had to ask things like 'Why does this database have all this information in it when you only need three fields?' I'm not saying we should simply accept intrusion but vulnerability is infinite so moving to reduce the value of an intrusion to reduce the reward for attackers might be more effective than fruitlessly striving for perfect defense.