HIPAA be damned – medical
records, including images and data, on more than five million patients in the
U.S. and millions of others worldwide lie unprotected online in full view of
anyone with the wherewithal to look and a web browser.
A Pro Publica investigation unearthed 187 servers in medical systems across the country that aren’t protected by passwords or basic security measures, citing a MobilexUSA server that exposed the names of more than a million patients accessible by entering a simple data query.
The probe, done in collaboration with German TV network Bayerischer Rundfunk, found data from more than 16 million scans around the globe and boasted names and birthdates as well as Social Security numbers in some cases.
As the prevalence of exposed medical data shows, “there are still
doctor’s offices that have their main servers open to the internet, with
insecure Windows server remote desktop protocol (RDP) port 3389 open for easy
access,” said Rehan Bashir, managing security consultant at Synopsis. “This
allows doctors and their staff to access the office network to retrieve patient
healthcare data remotely and conveniently” but many of the “offices do not even
use secure virtual private networks (VPNs) for remote access.”
Noting “that easy-to-guess passwords were being used and shared among
office staff members for convenience,” Bashir said, “such remote access methods
are an open invitation for malicious users to compromise the confidentiality
and integrity of patient healthcare data.”
While large healthcare facilities can pony up for “dedicated IT staff
to manage their systems and to implement security controls,” he said “smaller
providers generally don’t and thus are more vulnerable to healthcare data
breaches,” making it all the more important for them to “go above and beyond the compliance paper exercises and implement technical
security controls and continuous monitoring.”
Dan Lyon, senior principal security consultant at Synopsys, said, in addition to having fewer resources, smaller and independent providers have limited “knowledge about medical devices and security of the systems that they use to deliver patient care.” Some systems could be secured with a few quick changes but others, such as medical devices with hardcoded passwords, “cannot be changed by the healthcare delivery organization, even if they know about them,” he said.
“While these devices are not supposed to be available on the internet,
all it takes is a misconfiguration that exposes the device, or a simple breach
into a supposedly secure network that then exposes a weak device to
internet-based attacks,” said Lyon, who noted the dangers presented to data
integrity by malware that can alter medical images and lead to misdiagnoses.