If you've ever wondered why Microsoft says nothing about what it will fix in the monthly Patch Tuesday cycle, here is your answer. The theft of 4.5 million hospital patient records by Chinese hackers was due to the Heartbleed vulnerability and happened before a patch was ready.
Time magazine cited anonymous sources at the data security company TrustedSec that said servers with the Heartbleed vulnerability allowed hackers to steal secret keys used to encrypt user names, passwords, Social Security numbers and other information from Community Health Systems (CHS). CHS operates 206 hospitals in 29 states, making it the second-largest for-profit hospital chain in the U.S.
The CHS intrusion is a curious one. Re/Code said the theft wasn't for patient information, but for info on how the hospital operates, to help Chinese hospitals better function. For the sake of those 4.5 million patients I hope so.
The sources were anonymous, but TrustedSec CEO David Kennedy did speak on the record. He said the intrusion to the hospital records happened about a week after Heartbleed was first made public. Heartbleed was made public on April 1 and a fix was issued by OpenSSL on April 7.
This illustrates the urgency of patching published vulnerabilities, because bad players now have a road map for an exploit. At the same time, it also shows the inherent risk of disclosing vulnerabilities before a fix is issued. Heartbleed exploded into the news and was a rare tech story that hit the mainstream news outlets. For a week, this story was everywhere, including all of its details on how it worked. And when the fix was issued, there was no promise people would deploy it immediately. They might have to do their own testing.
That's why Microsoft never says what it's fixing on Patch Tuesday. As it is, when the fixes are issued they are giving the bad guys a road map to where there are problems in the software. Even if CHS deployed the Heartbleed fix immediately, there's no knowing if it would have been in time. TrustedSec's CEO said the intrusion was "about a week" after Heartbleed was disclosed. So CHS may not have gotten it in time, and even if it did, it likely would not deploy it immediately. They didn't want to rush it or they might have screwed things up and made it worse, like many firms did.
"You had a lag time of a week to several weeks before patches were implemented, so if attackers were scanning companies, there must have been countless situations where hackers used Heartbleed to gain access," Kennedy told Time.
CHS can be forgiven for not patching in time, but for a whole lot of companies, there are no excuses. This past June a security firm did a quick check and found more than 300,000 servers were still unpatched for the Heartbleed vulnerability. That was two months after the fix was issued, and the security expert who did the tests noted that the rate of patching was slowing down.
CHS was a victim of a hit immediately after Heartbleed was disclosed. If a firm gets hit now, four months after a Heartbleed patch was issued, they will be in much hotter water.