Researchers hacked 1.5 million private medical records using Google search terms and lucky guesses. Why isn’t healthcare taking cybersecurity more seriously?
A newly released study from IntSights reveals that the medical sector is failing to address the growing number of vulnerabilities that patient records databases face from unwanted intrusion. While the IT sector was focused on Cybersecurity Awareness Month in October, IntSights found that the healthcare sector is falling further behind in terms of protecting databases of patients’ medical histories. The problem is compounded by healthcare organizations having to choose between cybersecurity upgrades and better equipment to meet the medical needs of an aging population.
Healthcare IT specialist Don Baham from Nashville IT services company, Kraft Technology Group offers insights into protecting patient data and patient care.
Study Reveals Major Patient Database Vulnerabilities
One alarming aspect of the IntSights study was that researchers were able to penetrate many medical systems without using sophisticated hacking techniques. Researchers used Google searches, looked at subdomain enumeration and made some educated guesses on how to access patient records. After evaluating 50 separate databases, researchers were able to access patient medical records in 15 of them using methods that a layman could easily recreate.
Here were some of the exposed records that researchers were easily able to access:
- A database from a regional clinic with 1.3 million patient records
- A local clinic’s database
- A hospital’s exposed SMB Service Protocol
- A clinical data repository’s exposed FHIR protocol
Using an exposed third-party management system, researchers were also able to access the entire database of a Texas EHR system by typing in the URL of the admin console. In total, the researchers were able to access 30 percent of the databases tested and gained access to more than 1.5 million exposed medical records. As the researchers noted, “Hackers can find a large number of records in just a few hours of work, and this data can be used to make money in a variety of ways.”
Increased Accessibility Leads to Increased Vulnerabilities
Compounding the problem is the fact that federal regulations are now seeking to increase accessibility and information-sharing between medical organizations, with the goal of improving patient care. As cybersecurity experts have noted, this simply creates a larger attack surface for hackers.
As an example, a healthcare organization may keep its records on a local database. Yet due to increased accessibility, several partner organizations have access to the database through shared web API protocols. Even if the manager of the database has top-notch security protocols in place, all that is required is for one of the partner organizations to lose track of an API key, to expose all local patient records.
Spending Priorities: Cybersecurity vs. Patient Care
Researchers conclude that spending priorities in the already cash-strapped healthcare industry are driving the problem of cybersecurity vulnerabilities. “Healthcare budgets are tight,” the researchers note. “If there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out.”
IntSights researchers make several recommendations to shore up vulnerabilities:
- Set up limits on large database reads and require manual confirmation
- Limit database access to specific IP addresses
- Leverage third-party intelligence to find vulnerabilities before hackers do
The study’s conclusion is that healthcare providers must increasingly focus on protecting patient data from unwanted intrusion, despite budget considerations that cause the industry to lean in favor of medical technology upgrades. In the battle between patient privacy and patient care, privacy is currently losing.
