- About 30 percent of online healthcare databases are left exposed online due to misconfiguration, according to a recent report from IntSights.
The researchers scoured the internet to determine how easy it would be for a hacker to access online healthcare data. Using just Google, technical documentation, subdomain enumeration, and other methodology, researchers found a trove of databases that required no intrusive methods to obtain.
Of the 50 databases evaluated, the researchers found 15 exposed databases with about 1.5 million records. The rate of 30 percent is consistent with what is being seen across other sectors, researchers found.
In fact, a similar evaluation of DevOps sites found about 23 percent of those servers were open to the internet.
The researchers also noted that one database contained about 1.3 million patient records, so the amount “may be a bit exaggerated.” However, several breaches caused by misconfigured databases in the last year have included well over a million records.
For example, Hova Health, a telemedicine vendor, breached the data of 2.4 million patients, when it misconfigured its MongoDB database in August 2018.
“Even if it is exaggerated, hackers can find a large number of records in just a few hours of work, and this data can be used to make money in a variety of ways,” the researchers wrote.
Further, records can be found at a rate of 16,667 per hour. For example, in the largest discovered database, the researchers found the database of one major regional clinic using a popular site called Elasticsearch. The site is widely used and not protected by a third-party security pack or hidden from the public web. The researchers easily accessed the data by entering in the IP address of the server.
Shodan.io, one of the most popular search engines, can help organizations scan the internet to determine if they have an exposed database. However, hackers can also use the tool to find these data troves.
SMB ports were also assessed by the researchers. These ports were the access point for the global WannaCry attack of May 2017, but are still commonly used by hackers.
“SMB has poor security features and should not be exposed to the public web,” the researchers wrote. “With that said, many old backup services use SMB to communicate and transfer files. Many of these services are kept as legacy services and are easily accessible from the web.”
Despite the risk and the WannaCry cyberattack, healthcare organizations are still exposing these ports to the public.
But FHIR vulnerabilities were perhaps the most notable exposure found by the researchers. The FHIR protocol is used to easily exchange electronic health records and has sound security features.
“But healthcare organizations still misconfigure this service, making their medical records publicly available,” the researchers wrote. “Even with security measures in place, sometimes the number of clients that access this service makes it very hard to track who has the API key to access the server.”
“Healthcare organizations are not doing a very good job of protecting their patient data,” they continued. “With simple search techniques and a basic understanding of how these systems work, you can find an endless amount of ePHI data.”
Healthcare organizations need a better grasp of the digital assets found on their servers – and potential exposures. The researchers recommend the use of multi-factor authentication for web-based apps and tighter access controls on resources, including limiting the number of credentials to each database.
Further, online databases need to be monitored for unusual database reads. To take it a step further, IT teams can limit database access to a specific IP range, which will provide tighter controls. Pen testing can also help organizations better understand system vulnerabilities, once an organization has elevated its security program.
Unlike with hacking or insider threats, misconfigured databases have a direct solution. Security teams can evaluate these platforms and ensure the security controls are in place to keep online data secure.
“As healthcare organizations attempt to move data online and increase accessibility for authorized users, they’ve dramatically increased their attack surface, providing cybercriminals with new vectors to steal ePHI,” the researchers wrote. “Yet, these organizations have not prioritized investments in cybersecurity tools or procedures.”
“Healthcare budgets are tight, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out,”” they added. “Healthcare organizations need to carefully balance accessibility and protection.”