HIPAA be damned – medical records, including images and data, on more than five million patients in the U.S. and millions of others worldwide lie unprotected online in full view of anyone with the wherewithal to look and a web browser.
A Pro Publica investigation unearthed 187 servers in medical systems across the country that aren’t protected by passwords or basic security measures, citing a MobilexUSA server that exposed the names of more than a million patients accessible by entering a simple data query.
The probe, done in collaboration with German TV network Bayerischer Rundfunk, found data from more than 16 million scans around the globe and boasted names and birthdates as well as Social Security numbers in some cases.
As the prevalence of exposed medical data shows, “there are still doctor’s offices that have their main servers open to the internet, with insecure Windows server remote desktop protocol (RDP) port 3389 open for easy access,” said Rehan Bashir, managing security consultant at Synopsis. “This allows doctors and their staff to access the office network to retrieve patient healthcare data remotely and conveniently” but many of the “offices do not even use secure virtual private networks (VPNs) for remote access.”
Noting “that easy-to-guess passwords were being used and shared among office staff members for convenience,” Bashir said, “such remote access methods are an open invitation for malicious users to compromise the confidentiality and integrity of patient healthcare data.”
While large healthcare facilities can pony up for “dedicated IT staff to manage their systems and to implement security controls,” he said “smaller providers generally don’t and thus are more vulnerable to healthcare data breaches,” making it all the more important for them to “go above and beyond the compliance paper exercises and implement technical security controls and continuous monitoring.”
Dan Lyon, senior principal security consultant at Synopsys, said, in addition to having fewer resources, smaller and independent providers have limited “knowledge about medical devices and security of the systems that they use to deliver patient care.” Some systems could be secured with a few quick changes but others, such as medical devices with hardcoded passwords, “cannot be changed by the healthcare delivery organization, even if they know about them,” he said.
“While these devices are not supposed to be available on the internet, all it takes is a misconfiguration that exposes the device, or a simple breach into a supposedly secure network that then exposes a weak device to internet-based attacks,” said Lyon, who noted the dangers presented to data integrity by malware that can alter medical images and lead to misdiagnoses.