One of America's largest hospital chains is the latest to fall victim to a group of sophisticated Chinese hackers who compromised 4.5 million patients' data including social security numbers in April and June. The cyber attack is the largest ever reported by a U.S. health care company and should serve as a warning to get more private companies to take their cyber protection more seriously.
"Many companies are instituting anti-malware controls to detect malware prior to infection," said Kroll Cyber Investigations Managing Director Timothy P. Ryan in an email interview with The Christian Post. "Other companies are incorporating more robust threat intelligence into their defensive systems. Still other companies are combining these actions with trained incident response teams that understand both the technology and the investigative aspects surrounding APT attacks."
According to a filing with the U.S. Security and Exchange Commission on Monday, the cyber attack on Community Health Systems, a Tennessee-based health care operator with 206 hospitals in 29 states, affected patients visiting Community Health hospitals in the last five years. The data taken from the attacks did not include credit card information or medical and clinical information. However, the hackers also compromised names, addresses, birth dates and telephone numbers.
The hospital chain said that it is working with the cyber security firm called Mandiant to help figure out how the hackers were able to obtain the data. Mandiant labeled the attack as an "advanced persistent threat," a type of attack commonly associated with a group of Chinese hackers.
This attack comes in the aftermath of what many believe to have been an organized effort of Chinese military hackers that targeted American corporations in a number of intellectual industries for highly important data and blueprints.
Richard Clarke, former White House advisor on cyber security, wrote in his book Cyber War that Chinese hackers have stolen "secrets behind everything from pharmaceutical formulas to bioengineering designs, to nanotechnology, to weapons systems, to everyday industrial products."
However, it is uncommon for hackers that normally go after highly intellectual corporate data to go after personal data like they did with the Community Health hacking. This leads many to wonder what the hackers will do with that information.
"We have tracked this group for the past four years and internally refer to them as APT 18," said Charles Carmakal, managing director of Mandiant, in an interview with Bloomberg. "This group typically targets companies in the aerospace and defense, construction and engineering, technology, financial services, and health care industry verticals."
In February the U.S. Government through the National Institute of Standards and Technology released a final version of standards it wishes the private sector would adopt in order to help protect against future attacks. If it is ever adopted by the private sector it would require companies to take certain measures to help reduce the risk of future attacks.
"This voluntary Framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge," President Barack Obama said.
Proponents of the framework claim that companies don't do enough to protect their data and the vulnerable information of the people associated with those companies. Proponents feel that a regulated push from the government is needed to make strides in that area.
However, opponents of the framework claim that the standards are too vague and would actually prohibit private sector cyber security improvement. There is also fear amongst the private sector that costs for meeting the standards will be too high and dip too far into companies' profits.
Richard Bejtlich, chief security strategist with FireEye, a leading company in next generation cyber threat protection, told Politico that the only way companies will start to invest in cyber protection is if they experience an attack first hand.
"In my opinion, the way you get people to invest more [in cybersecurity] is to have them, unfortunately, experience a severe crisis," Bejtlich said.