Large Health Care Organizations Could Be Leaking Patient Data
June 27, 2014 in News
Many large health care organizations are not properly protecting patient data and might be leaving systems and equipment susceptible to Internet hackers, according to case studies conducted by two independent researchers, Wired reports.
The researchers — Scott Erven, head of information security for Essentia Health, and Shawn Merdinger, an independent consultant — presented their findings this week at the Shakacon conference.
Details of Case Studies
Last year, Erven and his colleagues completed a two-year study on the safety of Essentia’s medical equipment. During the review, they found that hackers could:
- Manipulate dosages given to patients from drug infusion pumps;
- Deliver random defibrillator shocks to a patient or prevent a medically needed shock from occurring; and
- Change the temperature settings in refrigerators holding blood and drugs.
Looking more broadly, Erven and Merdinger then searched the Internet to find health care organizations that were connected to the Internet and leaking information.
In just 30 minutes, they found one health care organization that was leaking data on 68,000 systems. Looking at the systems with exposed data, the researchers were able to find:
- 488 cardiology systems;
- 323 picture archiving and communication systems, including radiology systems for reading X-rays;
- 32 pacemaker systems;
- 21 anesthesiology system; and
- An unspecified number of telemetry systems used mostly in infant-abduction prevention systems and to monitor elderly patients.
The issue extended past the one organization, also compromising the data of third-party networks, such as provider groups, pharmacies and laboratories.
Reasons for Data Leaks
Erven and Merdinger found that the organizations are leaking data because of an Internet-connected computer that had not been configured securely.
The data leak occurred because system administrators allowed Server Message Block — a protocol often used to help administrators identify and communicate with computers in an internal network — and configured it to allow the external broadcast of information, making information that should only be available to network staff public for any outsider to see.
The researchers emphasized that the issue does not pertain to only a few organizations but rather is a “global health care organization issue” that includes thousands of organizations.
Erven notes that too often organizations are focused solely on HIPAA compliance and not enough on penetration testing and vulnerability maintenance.
He recommended disabling the SMB service of external systems or ensuring that it only communicates data internally (Zetter, Wired, 6/25).