Despite the fact that electronic health records (EHR) contain extremely sensitive information about individuals, it is shockingly easy for malicious actors to get their hands on them, Intsights security researchers have discovered.
It took them some 90 hours to try to gain access to 50 databases used by healthcare organizations and they found that 15 of them (i.e., 30 percent) easily discoverable and accessible to anyone who knows where to look and has a basic understanding of healthcare technology solutions.
The researchers concentrated on several popular technologies used for handling medical records, including known and widely used commercial databases, legacy services still in use today, and new sites or protocols that try to mitigate some of the vulnerabilities of past methods.
They perused technical documentation, employed Google and Shodan searches, subdomain enumeration, and relied on some educated guessing about the combination of sites, systems and data to discover exposed data.
“Simply knowing where to look (like the IP address, name or protocol of the service used) was often enough to access the data,” they shared.
The discovered databases or services that allowed access to data include:
- An ElasticSearch database used by a major regional clinic of a big European capital (1.3 million patient records)
- An SMB service used by an Asian hospital
- An exposed FTP server
- Poorly secured EHR systems in the cloud
Many healthcare organizations are struggling to manage all the different access levels and exposure points of their databases, the researchers noted, and pointed out two main factors contributing to this challenge:
- The use of varying software solutions for data storage and sharing, which increases their digital footprint and the possibility of errors, misconfigurations and leaks
- The use of data standardization to increase ease of sharing. The use of standard tags, symbols and technology for data sharing is good for data sharing, but also allows attackers to more easily figure out the technologies in use and the vulnerabilities they can exploit.
Recommendations for healthcare organizations
Different systems have different security features, but the researchers have pointed out some general best practices that organizations should follow to minimize the possibility of a data breach. They include:
- Limiting database access to specific IP ranges
- Using multi-factor authentication for web applications
- Tightening access control to databases and other resources (give access to fewer users and only to the information they need)
- Monitoring for big or unusual database reads and setting limits to them so that attacks may be spotted quickly and their success limited
Calling on outside experts to test current defenses and offer advice on improving them.
It stands to reason that we would all prefer that none of our data – whether personal, financial or health data – gets stolen and misused by malicious actors, but unfortunately it happens too often.
But while financial information can be changed, the information contained in electronic health records can’t and won’t be, meaning that the security of this data should be imperative for healthcare organizations.
As researchers affiliated with the Institute for Critical Infrastructure Technology pointed out a while ago, the medical identity theft that occurs as a result of the compromise of EHRs from healthcare organizations can financially devastate victims and presents a critical risk to their physical health.
“Due to the longevity of the [electronic health] record, adversaries may continue to exchange and exploit the compromised information for the rest of the victim’s life. For some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead,” they added.
The going rate for one EHR on online black markets is currently estimated at $1, which is much lower than the price of a single credit card record. This is because it takes scammers more effort and time to successfully use the information in EHRs to “earn” money (e.g., by extortion) or get additional and more useful information (e.g., via phishing).