A significant data breach has impacted the healthcare giant Community Health Systems (CHS). This is to the extent that up to one million people have been impacted. The data breach has been identified as arising from file-transfer software called GoAnywhere MFT, developed by Fortra.
“As a result of the security breach experienced by Fortra, protected health information and personal information of certain patients of the company’s affiliates were exposed by Fortra’s attacker,” according to a spokesperson from Community Health Systems.
Looking into the matter for Digital Journal is , Almog Apirion, CEO and Co-Founder of Cyolo.
For Apirion this issue represents another cyber-swipe against the healthcare and medical communities. This sector represents a continual target for those seeking to capture personal data.
As Apirion explains: “Healthcare organizations are unfortunately no stranger to cyberattacks and data breaches. Institutions like Community Health Systems (CHS) are an attractive target for threat actors due to their troves of personal information and their reliance on third parties both for cybersecurity and other aspects of their work.”
In terms of the mode of attack, Apirion describes: “The reality is that when hackers exploit vulnerabilities in third-party security tools, the lives and privacy of patients are put at risk. Interoperability is vital for successful healthcare delivery, so a Managed File Transfer (MFT) is a needed solution.”
MFT is a technology platform that allows organizations to reliably exchange electronic data between systems and people in a secure way that goes someway to meeting business compliance needs.
There are inherent weaknesses, as identified by Apirion: “When the admin console is accessible via the Internet, it’s only a matter of time before data is breached. Any connection to a sensitive data source must be properly managed and secured.”
There are measures that healthcare institutions could and should adopt. Apirion defines these as: “Zero-Trust Access strategies should be employed to support the needed connections, especially between care delivery partners. This is especially useful when critical applications, like MFT, need to be connected to the Internet.”
In outlining the benefits of these types of approaches, Apirion surmises: “Having the ability to restrict access and keep the application hidden will go a long way to preventing this type of breach in the future.”