Hackers likely used the computer bug Heartbleed to gain access to the data of about 4.5 million patients at Community Health Systems--and the FBI is warning other hospitals they could be at risk too, Reuters reports.
The hack at CHS is the first known large-scale cyberattack using the bug, which compromises the Web encryption program OpenSSL, opening hundreds of thousands of websites to data theft.
During this morning's monthly cyber threat briefing, broadcast online, HITRUST CEO Dan Nutkis spoke about the need for greater dissemination of information when breaches like this happen.
"There are some voids in receiving information from the government," Nutkis said. "We are looking at how we can provide more informative-type messages."
Roy Mellinger, vice president and CISO at WellPoint, also spoke during the briefing about security practices in the industry.
He said some criticism of the industry's security efforts have been harsh and noted that healthcare organizations have made tremendous progress when it comes to data security. However, he also said security is not as robust as it should be. One of the most crucial things, he said, is getting information across the sector to let healthcare executives know what is going on and if they are taking the right steps to keep data secure.
Reuters also reported that the FBI sent out a flash brief yesterday to alert healthcare industry companies that it has observed "malicious actors targeting healthcare-related systems," perhaps for the purpose of obtaining personal health data.
In April the agency issued two warnings about the vulnerabilities of health organizations' systems, including medical devices.
During the HITRUST briefing, Michael Rosanova, supervisory special agent at the FBI, said the agency will work on getting information out in a "more timely fashion" and put classified information into a usable form that can be easily shared.
To learn more:
- read the Reuters article on Heartbleed
- read the Reuters article on the FBI flash alert