Questions About Community Health Systems Cyber Attacks Answered

Pennyslvania computer experts discuss how hackers work a step ahead of organizations, and ways to provide more security to personal data.

by Joe Sylvester, McClatchy News Service / August 26, 2014

Cyber attacks on Community Health Systems Inc. in April and June copied and transferred the data of 4.5 million patients.

Among the 206 hospitals the Franklin, Tennessee-based company owns or leases in 29 states are: Wilkes-Barre General Hospital; First Hospital in Kingston; Regional Hospital and Moses Taylor Hospital, both in Scranton; Berwick Hospital Center, and Tyler Memorial Hospital in Tunkhannock.

The Times Leader of Wilkes-Barr, Pa. asked a couple of computer experts to explain how this could happen and ways to provide more security to personal data.

Mark Rutkowski is a professor of technology at Luzerne County Community College in Nanticoke, which offers an associate degree in cyber security management.

Sister Patricia Lapczynski, RSM, Ph.D., is associate professor and program director of computer science and information technology/IT security at Misericordia University in Dallas Township, which has added an information technology security specialization option to its Bachelor of Science in Information Technology degree program.

How could a cyber attack happen at a major hospital chain?

Rutkowski: This is an advance persistent threat. It's similar to a virus that an individual might get on their computer but much more sophisticated.

Lapczynski: These days, there are many talented people out there with the skills in hacking, and sometimes they get a step ahead of organizations. The organization discovers the breach and works quickly to rectify the problem.

How prevalent is the hacking of businesses' websites?

Rutkowski: I don't think they're any more common. We're just hearing about them more because the reporting requirements have changed. The government is requiring more reporting. This one, the Securities and Exchange Commission (is requiring it), as part of stocks reporting. It's different agencies. Some are requiring consumer notifications, some stock notifications.

Lapczynski: We certainly are hearing about it more when a breach like this happens. With what happened with Target and now with the hospital chain, it heightens the awareness of all of us in terms of our computers, so we aware so we have better password protection, better security.

Does this occur despite increased cyber security?

Rutkowski: That's correct. These were very advanced hackers that are able to get around security measures. The indications are this is from China. Most hacking indicates it's from China. A lot of times the user will use vulnerable computers in China, even though that's not where the hacker was located.

Lapczynski: Absolutely. The hackers are always trying to get ahead. As has been reported in the mass media, when this happens, people's personal identities might be compromised. It's unclear from what I read from the report whether it was corporate espionage or stealing identities.

What are some things companies can do to prevent cyber attacks?

Rutkowski: It's like saying what things can you do to make your car safer. The most secure you can get is not connected to the Internet, though in Iran (they weren't on the Internet) and they were infected with Stuxnet, which appears to be a virus written in partnership between the U.S. and Israel. The computer system was a control system for nuclear centrifuges for enriching the fuel.

Lapczynski: Three main areas they want to look at: They want to have someone identify what are the problems their organization might face as far as hacking; they want to determine where their weaknesses are, and third, they want to make sure they've installed the correct procedures, firewalls, data encryption programs.

How can individuals protect their computers from attack?

Rutkowski: Primarily, the latest virus protection software and also keeping your software updated, making sure you're keeping up with updates.

Lapczynski: I would recommend they make sure their passwords are changed periodically. Some software programs force you to change them every 90 days. You want to make sure you have a password that is not your name or your phone number. Make sure you have a virus protection program. Those are are two obvious ones, but important ones.

What can people do if they feel their information was compromised?

Rutkowski: For people who feel their information was compromised, they should monitor their information and credit reports, making sure there's no activity that doesn't belong to them. I would probably also suggest they check the credit of their children, even if their children are very young.

That said, it appears this (the CHS cyber attack) was more directed toward corporate espionage. They were not interested in personal information, though they downloaded it.

Lapczynski: Change your password immediately. You might want to monitor your credit report, watch your bank statements, watch your credit card bills.

©2014 The Times Leader (Wilkes-Barre, Pa.)