3rd Party Risk Management , Governance & Risk Management , Healthcare
CHS: 1 Million Patients Affected by GoAnywhere MFT Hack
Community Health Systems Reports Data Breach in SEC FilingA multistate hospital chain disclosed to federal regulators a cybersecurity incident involving secure file transfer software that compromised the data of about 1 million patients.
See Also: OnDemand | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches
Community Health Systems, which operates nearly 80 hospitals in 16 states, told the U.S. Securities and Exchange Commission that the incident stems from its use of Fortra's GoAnywhere software. The Tennessee-based chain says Fortra "recently" notified the company of an incident that resulted in the unauthorized disclosure of patient data.
"As a result of the security breach experienced by Fortra, protected health information and personal Information of certain patients of the company's affiliates were exposed by Fortra's attacker," the filing says.
While the investigation is ongoing, CHS says that so far it does not believe any of its systems were affected and that there has not been any material interruption of the company's business operations, including the delivery of patient care.
Fortra's GoAnywhere managed file transfer software was the subject of a security alert issued by the company on Feb. 1. The Cybersecurity and Infrastructure Security Agency nine days later included the vulnerability in its catalog of known exploited vulnerabilities.
CISA describes the GoAnywhere flaw as involving a "pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object." Fortra issued a patch for the issue on Feb. 6 with the release of version 7.1.2.
Ransomware group Clop last week claimed to have exploited the GoAnywhere vulnerability to breach networks used by 130 different organizations (see: Clop Ransomware Claims Widespread GoAnywhere MFT Exploits).
Security experts report that the Fortra GoAnywhere flaw, which is present in the software's administrator console, can be exploited without having to authenticate or otherwise log into the console and gives attackers shell access to servers. More than 1,000 administrator ports for the software reportedly appear to remain exposed to the internet and at risk of being exploited.
CHS referred Information Security Media Group to Fortra for details about the security incident, but the vendor did not immediately respond to a request for comment and clarification.
Third-Party Risk
CHS's breach is among a growing list of significant health data security incidents involving third-party vendors. But the involvement of Fortra's secure file transfer software is especially concerning, says Kate Borten, president of privacy and security consultancy The Marblehead Group.
"We expect secure transfer products do their specific job and protect our PHI in transit over unsecure networks," she says. A zero-day attack exploiting a newly discovered flaw can expose millions of patient records "despite strong security controls."
When it comes to secure file transfers, encrypted transmission "is the baseline," says Anthony Martinez, vice president of consulting services at privacy and security consultancy Clearwater.
"The significant risk with secure file transfer software is not the actual file transmission. It is the credentials to authenticate and gain access to the ePHI repositories, which is typically where the volume of data resides. We see credential-harvesting attempts within healthcare daily," he says.
"This is often an access management and data governance issue within organizations," he says. It's critical that entities ensure that accounts are properly onboarded, offboarded and configured for least privileged access, requiring multifactor authentication and deprecating file/folders no longer in use, he says.
In the wake of CHS' breach disclosure, experts urge other healthcare sector users of GoAnywhere to quickly apply the available Fortra patch to address the recent zero-day vulnerability.