Greenbone Networks has released details of new research in to the security of the servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans.
Of the 2,300 medical image archive systems worldwide that Greenbone analysed between mid-July and early September 2019, 590 of them were freely accessible on the internet, together containing 24.3 million data records from patients located in 52 different countries.
Available data included patient names, dates of birth, dates of examination and some medical information about the reason for examination. For US patients (which make up 13.7 million of the compromised records), it also included Social Security numbers.
More than 737 million images were linked to this patient data, with approximately 400 million of these accessible or easily downloadable via the internet. In addition, 39 of these imaging servers allowed access to patient data via an unencrypted HTTP web viewer, without any level of protection.
Ouch…medical images and details of 24.3 million patients left exposed on the internet: https://t.co/1M2A3lTVvl #CyberSecurity
— OPAL IT (@Opal_IT_Ltd) September 17, 2019
This is the latest example of how security is becoming more and more personal for all of us. Healthcare organizations need to protect not only themselves, but their patients’ privacy as well. Smaller and independent care providers have limited staff, resources, and knowledge about medical devices and security of the systems that they use to deliver patient care. While this research shows that quick changes could be made to secure some of the systems, other systems may not be so easy to fix. There are many medical devices that have hardcoded passwords in them that cannot be changed by the healthcare delivery organization, even if they know about them. While these devices are not supposed to be available on the internet, all it takes is a misconfiguration that exposes the device, or a simple breach into a supposedly secure network that then exposes a weak device to internet-based attacks.
In addition to basic security practices, the healthcare industry needs to worry about data integrity. Malware that can target and alter medical images has been created and has proven to effectively cause cancer misdiagnoses by radiologists.
Combining the targeted malware with the availability of the imaging data over the internet brings us one step closer to the ultimate worst-case scenario: direct patient-harm delivered at scale to patients across the internet.
Security and compliance requirements play a vital role in providing security guidance and accountability. However, meeting compliance standards don’t mean your data is “secure” and often leads to a false sense of security. Technical implementation of recommended security requirements within compliance documentation is necessary, but it’s also simply a baseline.
As this story indicates, there are still doctor’s offices that have their main servers open to the internet, with insecure Windows server remote desktop protocol (RDP) port 3389 open for easy access. This allows doctors and their staff to access the office network to retrieve patient healthcare data remotely and conveniently. In many instances these offices do not even use secure virtual private networks (VPNs) for remote access. It has also been observed that easy-to-guess passwords were being used and shared among office staff members for convenience. Such remote access methods are an open invitation for malicious users to compromise the confidentiality and integrity of patient healthcare data.
Large healthcare facilities can afford to have a dedicated IT staff to manage their systems and to implement security controls, but smaller providers generally don’t and thus are more vulnerable to healthcare data breaches.
It is absolute necessary to go above and beyond the compliance paper exercises and implement technical security controls and continuous monitoring.
Just because something can be connected to the internet, it doesn\’t necessarily mean it should be connected to the internet – especially where there is personal and sensitive information involved – and even more so when there is apparently little to no investment in security controls to validate that the data is secured properly.
While it\’s important to have medical information of patients readily available to healthcare providers and hospitals, particularly in times of an emergency, this shouldn\’t translate to having all information available at all times. Furthermore, monitoring controls should be in place to ensure that any medical records viewed, even by medical staff should only be done so if there is a valid clinical or administrative reason.
It\’s worrying that not only were these medical records publicly available, but it appears as if there is no internal audit process in place to validate if access is warranted.