Hospital Breach Reveals Bank Nightmare

The theft of 4.5 million patient records from a Tennessee hospital chain should have banks worried about both fraud from identity theft and the security of their own networks, according to American Banker.

In the breach at Community Health Systems of Franklin, Tenn., cyberthieves got access to patients’ names, addresses, birth dates, and telephone and Social Security numbers — everything needed for identity theft and subsequent financial fraud.

But the mode of the attack may pose just as great a threat. Thieves broke into the hospital chain’s network through a security hole called Heartbleed, a programming mistake in OpenSSL, a free piece of code many web servers use to secure interactions with other computers. And although financial institutions may have vetted the software on their servers to make sure they’re not affected by the Heartbleed bug, the hospital was attacked through a separate, off-the-shelf device made by Juniper Networks.

“It may sound crazy, but banks typically take off-the-shelf [network] devices and applications out of the box and deploy them into a production environment with very light review or testing,” said Rick Dakin, CEO and chief security strategist at Coalfire, an IT audit and compliance firm based in Denver.

In the wake of the Community Health Systems breach, banks should put all new applications and devices through a security check before being deployed, Dakin said.

Bankers should also watch for a wave of fraud tied to identity theft and credit scams, and thoroughly authenticate every request for a credit card replacement, new credit card or loan as well as unusual electronic funds transfers, said John Zurawski, vice president of security software company Authentify.