30 percent of healthcare databases can be accessed freely, a new report finds.
Up to 30 percent of healthcare databases are exposed online, according to a new report.
The report, written by Ariel Ainhoren, a security researcher at the cybersecurity firm IntSights, found how easy it is for someone to search for and find vulnerable or exposed databases on the dark web and elsewhere.
“Simply knowing where to look (like the IP address, name or protocol of the service used) was often enough to access the data,” Ainhoren wrote.
The team used Google searches, read technical documentations of commercial databases, legacy services and new sites, subdomain enumeration and educated guessing about sites, systems and data — all of which were freely accessible and required no intrusive methods to obtain.
In 90 hours, the team found 15 exposed databases out of 50 (30 percent) and discovered 1.5 million exposed records. The team did note that the number of exposed records may be slightly exaggerated due to one database containing 1.3 million records, which is relatively large.
“The rate at which we could discover openly accessible PII (personally identifiable information) and medical data is alarming and should serve as a wakeup call to the healthcare industry that some of their most basic processes are riddled with vulnerability, often due to simple error, oversight and/or misconfiguration,” Ainhoren said.
If a hacker finds records at a rate of 16,667 per hour and works 40-hour weeks for the entire year, their annual salary would be $33 million, according to the report. Electronic protected health information (ePHI) and medical data are harder to make money on compared to credit card information, and it would take a more in-depth campaign for cyberattackers to use health-related data.
The researchers listed three reasons why attackers target the industry: state-sponsored campaigns targeting critical infrastructure, attackers seeking personal data and hackers taking control of medical devices for ransom.
Hackers can use personal data for further fraud or can create and sell ePHI lists. Medical IT equipment is also targeted to spread malware that exploits specific issues and demands ransom to release the infected devices.
Health systems need to do a better job of protecting their patient data, and the research team offered a few ways to check if your organization’s data are exposed.
The team suggests using multi-factor authorization to reduce unauthorized access — systems that only require a username and password are easier to access.
Additionally, monitor big database reads, which may indicate that an unauthorized party is stealing information, and tighten access control to resources by limiting access to only the specific information needed.
Using third-party intelligence and penetration testing will give health systems a chance to view information the way a hacker would, so they have a chance to prioritize how data are stored and secured.
Get the best insights in healthcare analytics directly to your inbox. Register for our daily newsletter.