Community Health Systems (CHS), one of the largest healthcare providers in the U.S., confirmed a recent zero-day attack. The threat actor targeted a zero-day vulnerability within the systems of one of CHS’ business associates. According to reports, the breach impacted the protected health information (PHI) of up to one million patients.
The news is concerning, especially since a big part of HIPAA compliance is utilizing reasonable safeguards to protect PHI.
SEE ALSO: HIPAA compliant email: The definitive guide
Covered entities and their business associates must ensure that their systems and the data within remain guarded. Furthermore, these organizations must pay attention to the rising threat of zero-day attacks and how to mitigate them. So why do zero-day attacks occur, and what can healthcare organizations do to protect themselves?
What happened?
Tennessee-based CHS administers to 80 hospitals in 16 states that focus on general acute care. Business associate Fortra, LLC, informed CHS of a third-party data breach within one of its software. Unauthorized access happened through a zero-day vulnerability in Fortra’s popular file-transfer software GoAnywhere MFT. GoAnywhere is a managed file transfer (MFT) solution that organizations use to share and send large amounts of data.
Upon notification, CHS launched an investigation, which is still ongoing. The health system has not released an official statement though it did file with the U.S. Securities and Exchange Commission. Not much is known.
CHS states that the cyberattack appears limited to Fortra’s platform, further asserting that “there has not been any material interruption of [CHS’] business operations, including the delivery of patient care.” Once the investigation concludes, CHS will release more news and notify affected individuals as well as the proper authorities. Unfortunately, this is CHS’ second-known breach in less than 10 years. The first, by Chinese hackers, impacted 4.5 million CHS patients.
READ MORE: CHS TO PAY $5m to 28 states to settle 2014 data breach
Currently, the U.S. Office for Civil Rights’ Breach Notification Portal does not list the GoAnywhere breach.
What is a zero-day attack?
A zero-day attack or exploit occurs when threat actors discover a software security flaw unknown to software developers or users. The flaws may be software bugs, broken algorithms, weak passwords, or the lack of encryption. Hackers use malware to gain access through these vulnerabilities to the system and data within.
The term ‘zero-day’ is used because once hackers have exploited the security flaw, the attack is already underway. In other words, there are zero days available to prepare for or mitigate that attack.
The average time for an organization that has suffered a zero-day attack to fully deploy software patches is 97 days. These patches provide updates, fixes, or improvements to secure the flaws that let cyber attackers in. Rather than be exposed for such a long time, organizations must learn to respond and block immediately.
Fortra’s GoAnywhere MFT
Fortra disclosed its GoAnywhere MFT zero-day vulnerability on February 1 after the company became aware of the situation. The company only shared the information with members. According to the National Vulnerability Database, “GoAnywhere MFT [CVE-2023-0669] suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.”
This allows cyberattackers with access to the administration port to run commands on the remote server. Talking to Bleeping Computer, the ransomware group Clop took credit for the attack. Clop claims that the GoAnywhere vulnerability helped them steal data from more than 130 organizations.
The attacker has yet to release evidence, and there is no official word about a ransom demand. CHS appears to be the only one to come forward officially. It is only a matter of time before more organizations release information.
Fortra released mitigation techniques and indicators of compromise immediately and a patch on February 7. The ransomware group stated that it had 10 days to steal the data of the 130 organizations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog.
Zero-day attacks within the healthcare industry
Advanced persistent threats and zero-day attacks are increasingly common today. Google’s Project Zero documents 250 zero-day vulnerabilities since 2014. Up until a few years ago, such exploits were mostly used by sophisticated cybercriminals with significant financial resources.
But as technology and communication expand worldwide, just about any hacker can manipulate a zero-day vulnerability, especially with the increase in black-market sharing and exploit-as-a-service schemes. Zero-day exploits are financially motivated, so attacks against healthcare make sense.
SEE ALSO: Why is healthcare a juicy target for cybercrime?
In 2020, several zero-day vulnerabilities in OpenClinic exposed patient test results. And in 2021, the zero-day vulnerability known as “PwnedPiper” impacted pneumatic tube systems. Obviously, such attacks do much damage to those within the healthcare industry.
The CHS business associate attack demonstrates the concern healthcare organizations must have to protect patients’ PHI. “The reality is that when hackers exploit vulnerabilities in third-party security tools," according to Almog Apirion, CEO and cofounder of Cyolo, "the lives and privacy of patients are put at risk.”
Zero-day attacks are difficult to predict, which means it is necessary to have a plan to prevent and protect proactively.
Mitigate and block zero-day attacks
Unfortunately, zero-day attacks can still occur even with the most secure plan. It is important to have proper protections in place. Starting with a plan, covered entities must choose their software and applications wisely. It is also important to employ vulnerability management to identify, assess, report, manage, and remediate all vulnerabilities.
As soon as a zero-day vulnerability is discovered, the software company must release a patch or update. Then it is up to organizations to apply the patch. Fortra released an emergency patch for GoAnywhere (version 7.1.2) six days after discovery. CISA expects government agencies to apply the patch by March 3.
Moreover, there are helpful technological safeguards that help mitigate zero-day risks:
- A firewall to monitor and review traffic.
- Runtime application self-protection (RASP) agents to detect suspicious activity.
- Zero trust strategies to secure endpoints and vulnerabilities.
Finally, organizations must utilize threat-sharing resources to identify possible security problems. Security resources like HC3 (Health Sector Cybersecurity Coordination Center) provide needed insights into active zero-day vulnerabilities and available patches. Currently, we don’t know the extent of the GoAnywhere zero-day exploit. But attacks like it demonstrate why it is vital to use proactive, layered cybersecurity tools.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.