Cloud Security , Electronic Healthcare Records , Governance & Risk Management
Electronic Health Records: Spotlighting RisksUnsecured Cloud Server, Open-Source EHR Flaws Put Patient Data at Risk
Electronic health records potentially can be exposed in many ways. For example, in one recent incident, information on thousands of patients was apparently left exposed in an unsecured cloud server. And in another, critical security vulnerabilities in an open-source EHR system put patients’ data at risk.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Here’s a look at each incident and experts’ insights on lessons to learn.
Exposed EHR Data
News site TechCrunch reported on Monday that it found “thousands” of patient records exposed on the internet by nTreatment, a company that manages electronic records for doctors, including psychiatrists.
The records were in a cloud storage server hosted on Microsoft Azure containing 109,000 files, including lab test results, doctors’ notes, insurance claims and other sensitive health data for patients that were not encrypted and not protected with a password, TechCrunch reports.
The nTreatment data was secured on Monday after TechCrunch contacted the company. The company did not immediately respond to Information Security Media Group’s request for comment.
The nTreatment incident “speaks to many recurring issues and shines a bright light on the bigger issue of data sharing,” says former healthcare CIO David Finn, an executive vice president at privacy and security consultancy CynergisTek.
The incident “started with something as basic as a cloud server not being password-protected … then none of the data was encrypted,” he says.
“Not encrypting data in motion when you send it outside of your firewall is bad enough, but now, you are going to send it to someone to store and not require they encrypt it at rest.”
To avoid misconfiguration mistakes, “you must have tools and/or processes that check to ensure that those settings are actually set as you want and are functioning as intended,” he says.
There’s a misconception that systems can be moved or developed “in the cloud and everything is taken care of by the cloud provider,” says Cathie Brown, a vice president at the consultancy Clearwater. “Nothing can be further from the truth. Cloud services have the same associated risks as on-premises environments.”
EHR vendors must make security a business priority and use services that can continuously test applications for security vulnerabilities, Brown says.
“This level of testing should become part of the DevOps and application lifecycle,” she says.
In a cloud environments, security controls such as strong passwords, multifactor authentication and account lockouts are critical, she says.
Open-Source EHR Flaws
In the other recent incident involving EHRs, four vulnerabilities were recently identified in OpenClinic version 0.8.2, health records management software developed by an open-source community on SourceForge, according to security research firm Bishop Fox Labs.
The vulnerabilities include insecure file upload, missing authentication, cross-side scripting and path traversal, Bishop Fox reports.
The most severe vulnerability is a missing authentication check on requests issued to the medical tests endpoint. “Anyone with the full path to a valid medical test file could access this information, which could lead to loss of PHI for any medical records stored in the application,” Bishop Fox writes.
The firm adds that there is “no version of OpenClinic available that does not suffer from the identified vulnerabilities, and the recommendation is to switch to a different medical records management software.”
OpenClinic did not immediately respond to ISMG’s request for comment on the Bishop Fox findings.
Two EHRs With Same Name
Gerben Kleijn, senior security consultant at Bishop Fox, tells ISMG that there appear to be two unrelated software medical records packages both named “OpenClinic” on SourceForge.
In August, the Department of Homeland Security issued an advisory about 12 vulnerabilities contained in OpenClinic GA, a different open-source integrated hospital information management system that is not the subject of Bishop Fox's recent advisory (see: Alerts: Flaws in Ultrasound, Open-Source Hospital Systems).
SourceForge tells ISMG: “SourceForge is just a web host, and we have no affiliation or involvement with any open-source software hosted on our website. We do scan projects for malware, but those scans don’t always identify every last security vulnerability.”
It appears that the OpenClinic software that is the subject of the Bishop Fox advisory gets downloaded regularly about 1,000 a times a year, Kleijn tells ISMG. “I don’t believe that the software is widely used, but since it’s a medical records program, I still think it’s important to highlight its issues regardless of the size of its user base.”
Bishop Fox says it was unable to reach OpenClinic during the vulnerability disclosure, so it’s possible that the identified flaws will not be addressed, Kleijn says. “Migrating to a currently supported medical records program is recommended."
Users of OpenClinic should take two precautions to limit the risk associated with the vulnerabilities, he says: Restrict access only to users on the internal network, and configure a firewall to allow connections only from specific, trusted IP addresses.
If the identified vulnerabilities are not fixed, there will be significant risk to patient data for any organization currently using OpenClinic, he says. “The most severe allows an unauthenticated attacker to access patient medical test results.”
If an organization is currently using OpenClinic and has it exposed to the internet, anyone could access medical data if they could successfully guess or brute-force the full URL, he adds.
Extra Diligence Needed
Extra security diligence is required when using open-source software, Brown says. “This is especially true in the case of patient data and EHR functionality.
“Open-source systems that require high levels of security and privacy are going to be riskier propositions than commercial products sold and supported by one organization. Frankly, in regulated industries, you do not see open-source systems being used with critical data or operations. You will see open-source components where it makes sense, but few organizations put their core business on open-source systems.”