30% of Healthcare Databases Misconfigured and Accessible Online

A recent study by the enterprise threat management platform provider Intsights has revealed an alarming amount of healthcare data is freely accessible online as a result of exposed and misconfigured databases.

While a great deal of attention is being focused on the threat of cyberattacks on medical devices and ransomware attacks, one of the primary reasons why hackers target healthcare organizations is to steal patient data. Healthcare data is extremely valuable as it can be used for a multitude of nefarious purposes such as identity theft, tax fraud and medical identity theft. Healthcare data also has a long lifespan – far longer than credit card information.

The failure to adequately protect healthcare data is making it far too easy for hackers to succeed.

Healthcare Organizations Have Increased the Attack Surface

The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. While cloud service providers have all the necessary safeguards in place to keep sensitive data secure, those safeguards need to be activated and configured correctly.

Healthcare organizations that have moved data to the cloud have increased the attack surface, yet a substantial percentage have not effectively managed the risks and have left healthcare data exposed.

The problem is not the use of the cloud, but “a lack of process, training, and cybersecurity best practices,” according to Intsights. The problem is also not confined to the healthcare industry, as other industry sectors face the same problems, but healthcare organizations face greater risks as hackers are searching for healthcare data.

The Intsights report concentrates on exposed healthcare databases which are increasingly being targeted by hackers due to the large volumes of valuable data that can be obtained and the ease of gaining access to those databases. Many are left totally unprotected. All hackers need to know is where to look.

16,667 Exposed Medical Records Identified Per Hour

For the study, the researchers looked at two commonly used technologies for handling medical records and well-known commercially available databases.

The researchers wanted to demonstrate just how easy it is to find healthcare data. They used no hacking techniques to find the exposed data, only Google and Shodan searches, technical documentation, subdomain enumeration, and educated guesses about the combination of sites, systems and data.

After 90 hours of research and evaluations of 50 databases, 15 exposed databases were found. Those databases contained 1.5 million health records. That’s a rate of 16,667 medical records per hour. Even with a conservative estimate of a price of $1 per medical record on the black market, that would mean a full-time hacker could earn $33 million per year.  Intsights estimated 30% of healthcare databases are exposed online.

“Although our findings were not statistically significant, our [database exposure] rate of 30% is fairly consistent with what we’re seeing across all industries for exposed assets,” explained Intsights in the report.

The researchers found healthcare data at rest and in motion. The researchers identified open Elasticsearch databases, which can be found using the search engine Shodan. One of those databases contained the records of 1.3 million patients. The records came from a large healthcare clinic in a major European capital city.

Unsurprisingly, given the number of cases of misconfigured MongoDB databases that have been discovered this year, the researchers found a misconfigured MongoDB database used by a Canadian healthcare provider.

In addition to databases, the researchers noted one healthcare provider was using vulnerable SMB services despite the recent WannaCry attacks and one U.S hospital was using an exposed FTP server. “FTP’s usually hold records and backup data and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists,” wrote Intsights.

“Healthcare budgets are tight, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection,” explained Intsights analyst, Ariel Ainhoren.

The report – Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry – can be downloaded on this link.

This is not a sponsored link.  HIPAA Journal has no business relationship with Insights. The report is recommended by HIPAA Journal to help healthcare providers understand their cybersecurity threats.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.