The analyst team at CybelAngel, a global leader in digital risk protection, has discovered that more than 45 million medical imaging files – including X-rays and CT scans – are freely accessible on unprotected servers, in a new research report released today. The report “Full Body Exposure” is the result of a six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the de facto standard used by healthcare professionals to send and receive medical data. The analysts discovered millions of sensitive images, including personal healthcare information (PHI), were available unencrypted and without password protection.
Secure configuration and secure deployments start with secure defaults. The problem is that with long-lived systems, the secure principles used when the system was designed might now be obsolete. This is one reality that administrators of legacy systems need to recognize as they attempt to connect them to other systems via the internet. A theoretically obscure deployment can be found by others, and potentially even have its data indexed by Google. With accurate healthcare data potentially making the difference between injury or recovery, health care providers should perform a review of their IS deployments in light of common security frameworks and maturity models.
Getting a few MB/GB/TB of storage used to be an arduous process with lots of checks and balances. You had to talk to your manager, their manager, the IT folks, the infrastructure folks, the purchasing folks, the firewall folks, and so on. Today, you make a free Amazon/Google/DropBox/Box/etc. account and off you go. No checks and balances. No training required. No before-the-fact governance by the people whose role it is to protect the organization from doing unnecessarily risky things. Then, once it\’s working no one touches it because you don\’t touch what isn\’t broken. By the time the next generation of employees comes along (e.g., 6-18 months later), it\’s all just technical debt that no one will examine closely until after the breach or audit occurs. This \”window of vulnerability\” between \”I can\” and \”I know how\” repeats itself ad nauseum in every aspect of security and everyday life.
While all organisations remain at risk from ransomware in part due to working from home, healthcare will be the most targeted industry in the new year. In 2021, ransomware will target healthcare even more so than in 2020. Threat actors will be targeting medical research laboratories, big pharma, biotechnology companies and any third party companies that healthcare works with, as these organisations will likely be storing the patient data being analysed in order to create a vaccine.
Biotechnology, pharma and medical organisations will have to step up their cybersecurity posture in order to keep up with the wave of new attacks. It will no longer be an option, especially given the pressure surrounding the vaccine.
Businesses will need to focus on data recovery, but the threat surface will be dynamic. Protection and recovery must be included in any strategy because successful attackers are taking multiple approaches, while also threatening to expose data they’ve exfiltrated. A strong data protection architecture will be key to ensure endpoints aren’t cluttered unnecessarily with sensitive or confidential data like personal identification information (PII). Instead, the focus should be on backing up such data, and then restoring it temporarily at a future time, if and when required. You back up the data and if you need it down the road you can restore it temporarily. Additionally, organisations should think about more aggressive reminders or maybe even penalties for not following data lifecycles, which will be important to minimise exposure risks.
This astonishing disclosure shows how toothless the United States HIPAA regulations are, and how lax healthcare providers have become when storing patient data. This should serve as a wake-up call for providers to take a fresh look at how they process, maintain, and safeguard patient-identifiable photos.
The easy solution would be to move the image files to a secure server on-premise or host them in a private cloud, and add strong authentication requirements plus logging so it\’s apparent which images have been accessed, copied, deleted, or moved. Going a step further, providers should evaluate modern solutions to capturing and managing sensitive patient images.
The Cyber criminal spotlight has fallen quite firmly on the global Health and Social Care sector in 2020. Criminals have woken up to the fact that medical data allows an extra layer of leverage when it comes to extortion, ransomware and other activities. The fear, uncertainty and doubt (FUD) created among patients when successful data breaches are made public puts enormous pressure on the victim organisation to come to a resolution, frequently resulting in large and often unreported ransom pay-outs. FUD also leaves patients and other care users incredibly vulnerable to secondary criminal operations like phishing emails. They are far more likely to click on malicious links or respond to unsolicited requests for personal information if they think their medical data is at risk and they may be able to protect it.
The ‘Full Body Exposure’ report highlights just how nebulous healthcare data sharing networks have become and should be a stark wakeup call to all involved that they should be shining a spotlight on their own networks, policies, and procedures first, before someone else does.