Epic HIPAA Fail: Over 1 Billion Medical Records Exposed Online

Repeated warnings from security researchers fell on deaf ears as doctors and hospitals ignored the risks and millions of medical images leaked onto the internet every day, according to a joint report by TechCrunch and health news site The Mighty. Researchers spent weeks notifying healthcare providers and institutions to no avail. It appears that even a massive HIPAA violation isn’t enough to make security a priority issue.

Comforte’s Felix Rosbach

“While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information — especially PII and health care records. These are core requirements of data privacy regulations like HIPAA and GDPR, and there might be fines coming up for this,” said Felix Rosbach, product manager at data security company comforte AG.

Unfortunately, cybersecurity is given little priority in health care environments, despite heavy regulations pushing the need for it.

“Often, security compliance is managed as a subset of medical compliance, and therefore cybersecurity takes a back seat,” said Colin Bastable, CEO of security awareness and training company Lucy Security.

Knowledge gaps on how networks and systems work are contributing factors in security issues as well.

“Unfortunately, most of the medical world thinks it exists in isolation, in its own private cloud, which is clearly unrealistic. It often appears that most medical professionals don’t understand that so much information is globally accessible,” said Bastable.

“It’s no wonder health care tops the charts every year as the No. 1 at-risk sector for cybercriminals,” Bastable added.

The most common cause for medical image and data leakage is found in network configurations.

Juniper Networks’ Mounir Hahad

“Generally speaking, in this kind of situation, it’s the configuration of the network which is at fault before anything else. No system handling sensitive data should be accessible from the internet without the need for a VPN or some strong authentication method. The DICOM protocol itself was developed a long time ago and did not take into consideration the implications of cybersecurity,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

Some health care companies try to add security by moving to the cloud, often with mixed results.

“It is often the case when legacy applications are moved from fortified data centers into cloud environments that data leaks occur. Those applications and databases may not have the adequate security considerations to guarantee confidentiality of data; therefore, it is necessary to resort to technologies like secure software-defined networks to provide deployment security,” Hahad added.

MSSPs serving the health care industry clearly have their work cut out for them, not only in terms of adding layers of security and increasing educational efforts to include lessons on how medical data and images leak online, but in persuading the medical community to take a more comprehensive and less patchwork approach to security.

“Insecurity is compounded by the highly fragmented and outsourced nature of the U.S. health care landscape. The need for multiple parties to have prompt access to all medical data ensures that convenient access takes precedence over basic authentication and authorization security,” Bastable said.

Even so, health care isn’t that much different from other types of businesses, at least in terms of risk exposure.

“The massive amount of data sets combined with the number of freely accessible PACS systems that were configured in similar ways shows that protecting data still is a major challenge for organizations in all verticals,” said Rosbach.