IntSights, a security threat intelligence services reviewer, has released a recent study entitled “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry”. The report highlights how easily accessible huge amounts of healthcare data is available online. The data was determined to be exposed due to misconfigured databases.
Study Overview, Methods, and Findings
IntSights researchers used Google and Shodan, another search engine, for the study. The study was directed at commonly used technologies for handling medical records and well-known commercially available databases. No sophisticated hacking techniques were used during the study in order to determine how facile it would be for a relatively inexperienced person to access potentially sensitive information. The researchers limited themselves to Google and Shodan searches, technical documentation, subdomain enumeration, and educated guesses about the combination of sites, systems and data.
The study had researchers evaluate 50 databases over 90 hours. In those sample databases, 15 exposed databases were found. In total, this corresponded to 1.5 million health records. However, it should be noted that one database alone contained 1.3 million records, causing researchers to comment that the results “may be a bit exaggerated.” Using this figure, Intsights estimated 30% of healthcare databases are exposed online.
Medical records have a high black-market value, due to their utility in committing identity theft and other types of fraud. Therefore, medical records are a particularly lucrative target for hackers. However, as demonstrated by the researchers, one does not need to have particularly well-developed computer skills to be able to access huge amounts of medical data, and therefore turn the corresponding profit. Even with a conservative estimate of a price of $1 per medical record on the black market, that would mean a full-time hacker could earn $33 million per year.
“Even if it is exaggerated, hackers can find a large number of records in just a few hours of work, and this data can be used to make money in a variety of ways,” the researchers wrote.
“Although our findings were not statistically significant, our [database exposure] rate of 30% is fairly consistent with what we’re seeing across all industries for exposed assets,” explained Intsights in the report.
Why data is accessible online
There is a huge surge in the medical sector for innovative ways of storing huge amounts of medical information. One possible solution is the “cloud”, which allows individuals or organisations to store data online. The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. Cloud service providers are aware of data privacy laws and have all the necessary safeguards in place to keep sensitive data secure. However, the issue arises when users of the cloud fail to activate the safeguards and configure them correctly.
The IntSights report blames the huge amount of data available online to “a lack of process, training, and cybersecurity best practices”. This issue is not unique to the healthcare industry, but poses a problem other industry sectors that use cloud-based computing. A greater awareness of the risks involved with improperly configured cloud accounts is needed across the board. Luckily, this source of data breaches has a direct solution; relatively simple steps must be taken to ensure that the database is configured correctly. Once done, the data is protected from all but the most sophisticated hacking attempts.
The researchers found healthcare data at rest and in motion, meaning being transferred from one facility to another. The researchers identified open Elasticsearch databases, which can be found using the search engine Shodan.
Unsurprisingly, given the number of cases of misconfigured MongoDB databases that have been discovered this year, the researchers found a misconfigured MongoDB database used by a Canadian healthcare provider.
In addition to databases, the researchers noted one healthcare provider was using vulnerable SMB services despite the recent WannaCry attacks and one U.S hospital was using an exposed FTP server.
“FTP’s usually hold records and backup data and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists,” wrote Intsights.
“Healthcare budgets are tight, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection,” explained Intsights analyst, Ariel Ainhoren.