A security threat worse than Heartbleed
September 29, 2014 in Medical Technology
The Health Information Trust Alliance has put out a word of warning about Shellshock, a system vulnerability it says could wreak much more damage than the infamous Heartbleed bug.
The HITRUST Cyber Threat Intelligence and Incident Coordination Center, known as the C3, announced this past week it has been tracking the remote code execution vulnerability, which it says can allow hackers to bypass commands and execute arbitrary code, leaving OS X and Linux machines open to attack.
[See also: Heartbleed 'top of food chain' for healthcare industry, says CISO]
“We base the assessment that Shellshock is a more serious vulnerability than Heartbleed due to the ability of potential perpetrators to use the exploit to craft malicious code that enables them to gain complete control of a compromised server,” write HITRUST officials in their dense and detailed threat report.
Heartbleed, of course, has been at least partly responsible for some serious damage to the healthcare industry. This past summer it was revealed that Chinese hackers were able to use the bug’s system vulnerabilities to access some 4.5 million patient records at Community Health Systems – the second largest PHI breach in healthcare history.
Shellshock, is the “worst we’ve seen in many years,” according to one security blogger.
[See also: Breach alert: Hackers swipe data of 4.5M]
“In retrospect, the grave concern over Heartbleed seems misplaced,” he writes. “As information disclosure bugs go it was a really bad one, but it was only an information disclosure bug and a difficult one to exploit. The sky’s the limit on attacks with Shellshock.”
Indeed, beyond exploiting the new Shellshock bug for DDoS attacks, “other malicious actors could use the exploit to gain unfettered access to a vulnerable server and conduct much more damaging operations – such as sabotaging corporate networks or collecting any information stored on the server, including intellectual property, personally identifiable information, or protected health information,” according to HITRUST.?
As HITRUST works with the Department of Homeland Security to monitor the threat, it suggests that, “given increased cyber threat activity affecting healthcare organizations,” healthcare organizations should review their information security controls, “or if unable, then focus on those specifically related to cyber security.”
??It offers resources for healthcare security professionals here.
On Sept. 23, HITRUST Chief Executive Officer Daniel Nutkis wrote to Health and Human Services Secretary Sylvia Mathews Burwell, offering an update on “the significant progress made” with regard to healthcare security — and also to spotlight efforts “currently underway to address the risks and implications” of cyber attacks.”
“Continued vigilance is required to protect sensitive healthcare data of American citizens,” he wrote.
As healthcare has recently come to recognize the imperative to protect against cyber crime, HITRUST “identified the need for collaboration among stakeholders, particularly leveraging the expertise of larger, more cyber-sophisticated organizations to assist less sophisticated players,” wrote Nutkis.
In response, HITRUST launched C3 to offer threat intelligence, incident response and other knowledge and strategies unique to the healthcare industry, according to the letter to HHS.
“The C3 facilitates the early identification of cyber-attacks and creation of best practices specific to the healthcare environment and maintains a conduit through the Department of Homeland Security to the broader cyber-intelligence community for analysis support and exchange of threat intelligence,” Nutkis wrote.
“The Center is also the first to track vulnerabilities related to medical devices and electronic health record systems,” he added, “which are both emerging areas of concern.”