Millions of patient data records could be easily accessible in the internet!

in #infosec5 years ago (edited)

image.png
IMG SRC

Not very surprising to many in the InfoSec business but maybe an "eye opener" to the masses that this has made mainstream headlines in one of the most popular tv news shows in Germany.

“Das Erste” and the “NDR” (North German Broadcasting), public broadcastings services in Germany, have recently and repeatedly reported on information security issues with German doctor’s offices across all medical practices/disciplines
.
They’ve had help by C’T, an renowned by-weekly computer and technology magazine which is published via Heise publishing house.

In the most recent news bit the reporters have been shown an, almost easier than “script kiddie approach” (~easy) to access sensitive patient data.
Freely available internet security research services/tools make it shockingly easy to find relevant internet representations of doctor’s offices and other healthcare related web sites/services.
Sadly, internet security doesn’t seem to be a high priority here…
Because of all things malevolent minds could be interested in healthcare data is not so important obviously and not worth much, right?

Brahaha! Wrong and wrong again! Of course these type of data sets are in high demand for all kinds of illicit activities. Digging a little deeper in the dark web you can find the pricing for healthcare data ranges up to 2,000 USD per “patient”.

No need for an evil genius mind to figure out what can be done and in fact is surely done with such sensitive information. Probably on the top of the list, because the easiest way to “monetize” on such data, would be extortion's of unsuspecting patients whose only error was to have chosen an md, dentist, radiologist and so on that doesn’t give a rat’s ass about information security and OpSec (operational security). Excuse my French…

Using easily accessible and even for the not so tech savvy internet criminal almost intuitive to handle services in the web you can track down hundreds of internet-accessible, healthcare related hosts with vulnerabilities.

Without getting too deep into the details of such services and approaches you can maybe call these things “the google's for easy breachable and exploitable” hosts and services.

Yes, you read this right… it’s really as easy as typing an search request into your favorite internet search engine to find detailed information on the before outlined medical services with their weaknesses. On a higher sophistication level you can use their api (application programming interface) to pop your search into some attack scripts for a bunch of attacks on computers, databases, web services.

Using the highlevel InfoSec search term “Praxis”, which is the German word for doctors offices, you can ad hoc see hundreds of web sites/web services popping up on a map. From here you can narrow your search for instance for special services, remote login possibilities, all kinds of vulnerabilities and so on.

Of course doctor’s offices that get immediately red flagged with a bunch of vulnerabilities will have an really tight password policy at least, right? Brahaha! You already guessed it, with a high probability such offices will also have weak password policies with easy to guess passwords or brute forceable passwords so it doesn’t take long to remote access such boxes and explore further possibilities from such an bridge head. Once you’re “in” you can take yourself all the time you need to find “interesting” data in such an environment. Your health records in any given doctors office will have your standard pii (personal identifiable information) but also your illnesses, therapies, medication and so on.

There might be the one or the other health info you do not want anybody to know of, especially things that right off the bat could be used against you.

Maybe you wouldn’t like your employee learning about your possible addictions, mental problems or other things that would make him see you with different eyes, or your partner learning that you needed a penicillin shot to fight an std? You get the picture, beyond identity theft such information is indeed worth a lot to some and such data in the wrong hands could give you long lasting headaches and problems for decades.

Wouldn’t there be others, besides the “standard” extortionist, that have an elevated interest in such data?

Health insurances and the pharmaceutical industry come to mind at an instant, right?

Hmh… I’m not saying that there are health insurances or someone in the pharmaceutical industry buying such illegally obtained data just that there could be elevated interest in such data for obvious reasons. There are probably others that could put such data to some other use surely.

This is the thing with third party risks again…

There’s not much that an individual can do not to fall victim to such things but we can at least demand that there have to be consequences for those that handle people’s sensitive data without the needed care.

Imho it’s absolutely Ok to get loud about such things especially directed at elected representatives, medical chambers and so on.


On top of all that google has been collecting patient data where they can also. See the following article on this:

https://www.axios.com/google-health-records-privacy-505889c6-96a3-44fa-b729-af732e078a19.html

From this article:

"Through its partnerships with health care providers, Google can view tens of millions of patient records in at least three-quarters of states, the Wall Street Journal reports.

Why it matters: Some of these partnerships allow Google to access identifiable information about patients without their or their doctors' knowledge, raising fears about how this data may be used."

So, this isn't just about bad OpSec in the wild but also a classical case of masses of patients signing away the rights of other data collectors in health care that made deals with google to share personal identifiable information with google.

A project that made headlines in this regard was google's "project nightingale". See the following article from the verge on this:

"Google reveals ‘Project Nightingale’ after being accused of secretly gathering personal health records"


So, was this news to you?

Have you started to think about all the places that “have” your data and have you asked yourself are they good custodians of your and others data?

Let me know what you think about this in the comments if you want!

Cheers!
Lucky

Sort:  

I’m not surprised. Good thing I don’t go to German doctors! ;)

Hahaha! Good one!

I've just used these German, possibly easy breachable systems as an example. Issues like that of course aren't limited to a specific country or region but you knew that already. :-)

To me really scary is the fact that all kinds of "data collectors" sell patient data collected for instance to google (for example project Nightingale).

People just don't know what they get themselves into with most of these "user agreements" and "terms of usage" or willfully signing away the right to access their health care records to hospitals, doctors and other institutions that turn around to sell these records to others. You never know where your health history might show up on/in.

Cheers!
Lucky

Indeed. Any concentration of data with perceived value will always attract the attention of both commercial exploiters and data thieves.

I see lots of hospitals and their respective satellite offices moving to Epic. Haven't done much research myself, but I am curious about it's security.

Medical data may not seem like a big deal to some...until their insurance companies jack up prices or employers decide not to hire you based on that same data,

Yes! It's like with all the other "available" data.

Down the road nobody gives much about "where it came from", which is understandable in regards to risk-cost-minimization for instance of other health insured people, right?

Things can become pretty tricky once the cat is out of the bag, or better pii data is freely available in the wild, which is why I believe only with fair, but draconian individual damage compensation this will get the recognition needed to slowly reduce the number of data, privacy breaches.

Cheers!
Lucky

Hi @doifeellucky

I've missed some of your good posts again. Consider posting new once via project.hope community/hive and it would be great if you could set up 20% beneficiary to @ph-fund. This will help us grow bigger. And I also prioritize such a publications with solid upvotes :)

Cheers
Piotr