Research from Digital Shadows found imaging files particularly vulnerable.

Health data security exposures doubled in one year, report says

By Nathan Eddy
09:32 AM

There has been a 50 percent increase in the exposure of medical-related data over the past year, according to a report from Digital Shadows, a San Francisco-based provider of digital risk protection solutions.

WHY IT MATTERS

Most of the healthcare specific exposure the firm detected were DICOM imaging files, which are typically set up to transfer images within a Picture Archiving and Communication System (PACS) architecture.
Overall, Digital Shadows analysts uncovered roughly 4.7 million medical-related files exposed through online file stores.

The report recommended health care providers should secure all of the various servers within a PACS architecture, whether that is a HL7 or DICOM server, specifically.

The cause of this data exposure was largely due to the misconfiguration of commonly used file storage technologies, with nearly half of the files exposed through the Server Message Block protocol – a technology for sharing files first designed in 1983.

Other misconfigured technologies cited as additional sources of exposure including FTP services (20 percent of total), rsync (16 percent), Amazon S3 ‘buckets’ (8 percent) and Network Attached Storage (NAS) devices (3 percent).

“Like all of the cases discussed in the report, not every single one of these files is going to contain something sensitive,” the study noted. “However, the sheer amount of information exposed violates individuals’ privacy as well as regulations like HIPAA in the United States.”

THE BIGGER TREND

The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) have produced a guide that includes several recommendations and best practices for securing PACS architectures.

“Anyone, from local doctors to big hospitals, can inadvertently expose data,” Digital Shadows strategy and research analyst Harrison Van Riper told Healthcare IT News. “The health care industry has access to some of the most personal and private information about individuals and in millions of cases, this data isn’t being properly secured from the internet.”

Van Riper noted the exposure of 4.4 million DICOM imaging files is a 100 percent increase from last year, which was 2.2 million when Digital Shadows did a similar study — indicating that the problem is not only growing, but growing quickly.

“As we start to move into a more remote-doctor ecosystem where data will be traveling across the internet from patient to doctor without the need for an office or hospital visit at all, securely transferring that data is going to be key,” he explained. “As we’ve seen businesses enable remote workers, the health care industry is starting to do the same and with that comes more potential data exposure points; an issue that is difficult to solve, but not impossible.”

In April, a security report from Varonis found the average institution leaves terabytes of sensitive information exposed to unauthorized parties.

Employee and patient data were left open for anyone to see through wrong or broken permissions, Varonis found, and for each terabyte of data there were tens of thousands of files, on average, that were improperly exposed, had the wrong permissions on them, or weren’t updated with adequate permissions.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.

Email the writer: nathaneddy@gmail.com

Twitter: @dropdeaded209