Hospital network's failure led to massive hack

August 22, 2014: 9:46 AM ET
heartbleed hospital
NEW YORK (CNNMoney)

A major hospital network's failure to update its computer software allowed hackers to steal 4.5 million patient records earlier this year, a security expert says.

The hackers took advantage of Heartbleed, the infamous defect in the way computers communicate securely with websites.

Community Health Systems' massive data breach could have been avoided.

There were widespread media reports and repeated warnings from cybersecurity professionals earlier in the year. But security researchers at TrustedSec say the hospital network did not update its systems to patch the bug soon enough.

TrustedSec CEO David Kennedy said a person involved in the investigation of the hack has confirmed that Heartbleed was the culprit.

Read up: Heartbleed 101

Juniper Network (JNPR) -- the hospital group's secure network provider, according to TrustedSec -- quickly patched its software for the Heartbleed bug. But it was up to the hospitals to patch their own systems.

"It's not surprising that Heartbleed was present in [the hospital network's] infrastructure," said Sam King, who oversees Veracode security products. "The question is: Why didn't they know about it or do something about it?"

Community Health Systems (CYH) declined to address the report to CNNMoney.

Related story: Why hospitals can't protect patient data

A used thermostat could hack your house

When you see a lock icon in your address bar, that's supposed to indicate that the conversation taking place between your computer and the Web server is secure. But the Heartbleed bug allowed attackers to bypass that encryption and spy on Internet traffic in real time.

That's what happened here, TrustedSec claims.

Medical personnel working from home logged into Community Health Systems' computers using a secure Virtual Private Network. But hackers attacked computer servers managing that network. The hackers gathered the medical professionals' usernames and passwords, later using them to log in and steal patient names, Social Security numbers and more from network-affiliated doctors' offices.

CNNMoney quiz: What hackers know about you

It's the first example of a major Heartbleed attack -- and it's unlikely to be the last. Heartbleed continues to affect gadgets everywhere: computer servers, network switches, even office phones. This makes Heartbleed a long-lasting problem.

Major companies are typically slow to update their systems -- even in critical situations -- because they lose track of their hardware.

"The problem with corporations is that they don't know where all their stuff is," said cybersecurity expert Robert Graham. "On any network, there's a lot of old devices, and as long as they're working, no one's touched them for years."

Still, the report that Heartbleed was at fault is aggravating, because it's an easy bug to catch. Free software like Masscan reviews entire networks for instances of the Heartbleed bug. And network monitoring services would spot if a hospital-affiliated doctor who usually works from home in Alabama suddenly connects from China -- where Community Health Systems said the hack emanated.

CNNMoney's cybersecurity Flipboard magazine: How safe are you?

"An organization like that should be watching what's leaving their network," said FlowTraq CEO Vincent Berk. "What doctor or nurse or administrative department needs access to 4.5 million records in a short period of time?"

Join the Conversation

Search for Jobs