As discussed in our previous post, medical records have a significantly higher value than other forms of data. This creates the incentive for hackers to make concerted and concentrated efforts at medical record theft. Consequently, we would assume that comples security systems guard medical records. After all, gold is one of the most valuable substances in the world; Fort Knox has a security system that reflects this. And, yet, the health care industry continues to be one of the most attacked and most breached industries. What makes medical records ripe for the picking? And what is a hacker’s plan of attack for committing medical record theft?
Medical Record Vulnerabilities
In the first place, health care systems have multiple touch points that transcend organizational boundaries. This creates a huge surface area with multiple entry points to attack, ultimately multiplying their potential exposure and vulnerabilities. Providers and business associates in the entire supply chain share medical records stored on protected servers/the cloud. These servers also need to be reachable from multiple entry points within a single system (e.g. a hospital, clinic, or office), as well as from external ones where record sharing is necessary (e.g. multiple hospitals within a regional network). For example, each nursing-station’s computer, doctor’s office computer, etc., would have access to the stored medical records and represents an entry point.
These entry points proliferate with connections between different hospitals in a regional network. Third-party vendors sometimes require storage server access, or medical devices connect to the network. Each one of these nodes represents an exploitable entry point. Many clinical systems are connected through unsecure channels and, according to a 2017 survey of health care providers, only 16% had a fully functional cybersecurity system.
All of this presents an opportunity for committing medical record theft. But how do hackers attack these entry points?
How Medical Records End Up in the Wrong Hands
We should first note that breaches are not always the result of outside actors – most are “inside jobs.” In some cases, those with legitimate access to the records misuse their access, often for financial gain; this is privilege abuse. In other cases, insiders accidentally expose data, including through losing unencrypted devices containing medical information. Of 450 medical breaches in 2016, 200 resulted from insiders, while only 120 resulted from outsider hacking.
As we mentioned previously, vulnerabilities created by system misconfigurations and set-up errors are the number one cause of breaches is, particularly in relation to hybrid or cloud migration of health care systems. These vulnerabilities expose records to anyone who might stumble upon them. In cases of misconfigurations, such as the Immediata Health Group and University of Washington Medicine breaches, the entry points are unintentionally left open. This provides access to anyone who might try to gain it. Moreover, these misconfigurations allow for search engine web indexing, exposing records even after the misconfiguration has been repaired.
Misconfigurations are a particular problem with the growing surface space of health care systems. As medical systems expand, interconnecting with third-party vendors, more configurations become necessary. Each additional link is another entry point open to possible misconfiguration.
Unauthorized User Access
Unauthorized usr access is the next most common plan of attack for medical record theft. In these situations, hackers gain legitimate credentials to access protected medical records. Phishing schemes is one of many means used to access these credentials. Hackers send emails spoofing the email addresses of someone else within the organization. They gain login and password information when employees unwittingly provide this information to them. Kalispell Regional Healthcare exposed approximately 140,000 medical records after multiple employees responded to phishing emails, providing hackers with login credentials. Alternatively, hackers can gain unauthorized access by hacking or spoofing clients or vendors and using their remote access portals and credentials. Hackers gained access to Hancock Health’s system through a third party vendor’s administrative account.
Hackers can also gain access to medical records through blank and compromised passwords, or non-password protected servers or databases. While a blank password obviously provides an open entry point to medical records, compromised passwords provide an insufficient safeguard because the password or user ID are not strong. In one case, hackers exposed 3.5 million records after discovering that “tester” was both the user ID and password for the Medical Informatics Engineering (MIE) system database. In a different case, Cottage Health servers connected to the Internet without any password protection, exposing their medical records.
Brute Force & Ransomware
If unauthorized user access and exploiting passwords involve subtle means of medical record theft, hackers also use brute force, including malware and ransomware. In these situations, malicious code or programs are installed on the healthcare system. This is typically achieved through phishing scheme-won credentials, or when employees open emails with malicious files. This code diverts medical records to hackers or, in cases of ransomware, it encrypts them and cripples systems. Records are then held hostage until a ransom is paid.
Globally, one of the biggest ransomware attacks in recent years was the WannaCry attacks in 2017, which infected more than 200,000 devices in 150 countries. One of the biggest organizations affected by it was the National Health Services (NHS) in the United Kingdom. Approximately one-third of the NHS Trusts in the UK were infected, at a cleanup cost of approximately £72 million. Given their lacklustre security systems in the context of migration to digital and cloud environments, healthcare systems in the US also experienced a number of high profile attacks in 2019.
Lack of Encryption
Two other vulnerabilities hackers attack are unencrypted medical data and protected data mistakenly stored in public servers. Encryption is a key security practice and unencrypted servers, drives or devices make a hacker’s job significantly easier. Yet, one study suggested that only 65% of healthcare organizations encrypt cloud data. Another study suggested that 20% of organizations don’t use encryption at all. In addition to failing to password protect their company servers, Cottage Health also failed to encrypt their medical records. In a different example, Denton Health Group had an unencrypted drive, containing seven years of medical records, stolen from a storage locker. Similarly, unencrypted medical records stored on public servers are ripe for the picking for hackers. In one case, an internal application was moved to a public server, exposing approximately 7000 medical records from Texas Health and Human Services Commission.
Regulations to Prevent Medical Record Theft
Given the black-market value of medical records, and the concerted efforts of hackers to steal it, government regulations provide guidance on cybersecurity for the healthcare sector. In a future article, we’ll turn to some of the protections and challenges that the Health Insurance Portability and Accountability Act (HIPAA) presents for healthcare cybersecurity.