Heartbleed. Back in April, this bug was on the radars of companies across the globe. Large corporations struggled to find and patch systems and ensure no critical information was compromised. Not all succeeded: The Canada Revenue Agency had 900 social insurance numbers lifted from its database. When the dust settled, many companies went back to business as usual — but that doesn't mean the Heartbleed vulnerability is behind us. Look at the problems it is causing for healthcare companies.
According to CSO Online, Community Health Systems (CHS) was victimized by the CVE-2014-0160 flaw, otherwise known as Heartbleed. CHS disclosed this information to the U.S. Securities and Exchange Commission on August 18, 2014, in an 8-K filing. While the report was short on details, it did reveal that non-medical information had been compromised for approximately 4.5 million patients who used CHS services during the last five years. Security firm Mandiant, hired by the healthcare agency to investigate the breach, believes it happened in two batches: one in April 2014 and the other in June. It also speculated that the attacker may have been part of a Chinese cybercriminal group. TrustedSec, meanwhile, reports that hackers exploited the Heartbleed vulnerability by gaining log-in credentials through an unpatched Juniper device on the CHS network and using them to sign in through a virtual private network. Now there's a class-action lawsuit brewing against the healthcare provider, alleging that it knew about the attacks far sooner than reported and did not take proper security precautions. But could the breach really have been prevented?
22 percent. That's how much, on average, of their application-security budgets healthcare companies spend to detect and inventory apps on their networks, according to data from CA Veracode. "That percentage seems very high to us," said Joe Pelletier, senior product manager at CA Veracode. "We think this might indicate that companies are using network tools for discovery, which doesn't account for finding Web applications on your external perimeter" — Web applications that may contain critical issues like the Heartbleed vulnerability.
According to Pelletier, while "many organizations have relied on network or vulnerability management solutions which provide visibility into IPs, ports and devices running on a network," the use of such solutions "fails to account for the nuances of detecting Web applications." Attacks on applications are responsible for 35 percent of all breaches. From Pelletier's perspective, the healthcare industry has a unique challenge: maintaining a high level of service availability and reaching the largest number of patients possible. To do so, the most logical route is the use of Web applications. And while a bigger budget for doing the same thing (by 2015, the cost to test all current and new applications will more than double to $3.11 million) might help catch some of the Heartbleed vulnerabilities lurking in unpatched perimeter devices and applications, Pelletier sees a better way: investment at the application layer in "a solution that not only helps discover Web applications, but also provides massively parallel testing of these apps to ensure quick and rapid feedback on where critical vulnerabilities may exist."
The rise of Web-based healthcare applications means it's just a matter of time before attackers move into other company databases. For example, the New York Times reports that Healthcare.gov was recently hacked and malicious software was uploaded to its test server. While no personal information was taken, a spokesman from the Centers for Medicare and Medicaid Services said that the server breach was made possible by a trio of errors: it should not have been connected to the Internet, it used a default manufacturer password which had not been changed and it was not subject to regular security scans. In other words, the server was "forgotten."
Pelletier believes such forgetfulness is becoming more and more common as the number of Web apps grow and companies are forced to concentrate on their most pressing threats. Hackers perform reconnaissance on systems looking for any way in, be it poor coding, use of default passwords or the Heartbleed vulnerability. This leads to the discussion of open source — a recent Forbes article argues that open-source software poses an inherently higher security risk because it has no warranty, meaning companies may be considered negligent if they use programs like OpenSSL to encrypt data. But Pelletier offers another perspective, saying, "CA Veracode has proven that vulnerabilities can exist in both open-source and commercial software." He argues that "any strategy for securing enterprise software must include analysis of third-party components."
So, what does all this mean for healthcare? That while open-source vulnerabilities like Heartbleed are big news, they're just the tip of the iceberg, and millions spent on traditional AppSec will only catch some of these open doorways. Healthcare needs a new prescription for chronic app issues: programmatic Web application discovery paired with testing that covers the entire application layer.
Photo Source: Wikimedia Commons