Unsecure Fax Server Leaked Patient DataIncident Highlights the Importance of Vendor Risk Management
A medical software vendor's unsecured fax server leaked patients' medical information, highlighting yet again the importance of vendor risk management.
See Also: HIPAA Audits: A Revised Game Plan
Sacramento, Calif.-based Meditab Software Inc., which provides fax services and other services for healthcare providers, leaked the patient records through a fax server that was hosted by a subdomain of one of its affiliate companies, MedPharm Services, based in Puerto Rico, according to a March 17 report on news site TechCrunch.
Meditab's website says the privately held company provides software to over 2,200 clients from over 35 medical specialties.
TechCrunch reports that SpiderSilk, a Dubai-based cybersecurity firm, made the discovery that the exposed fax server was running a Elasticsearch database with over 6 million records since its creation in March 2018.
As of Monday, the incident did not appear on Department of Health and Human Service's HIPAA Breach Reporting Tool website that lists major health data breaches. It's not yet clear how many records were potentially exposed or for how long.
Because the server allegedly had no password, anyone could read the transmitted faxes in real time, SpiderSilk told TechCrunch. The faxes contained a variety of information, including names, addresses, medical information, prescription information and, in some cases, Social Security numbers and payment data, the news site reports. And apparently none of the data was encrypted, it states.
Angel Marrero, general counsel at Meditab and MedPharm Services, confirms to Information Security Media Group that MedPharm hosted the unsecured fax server on its subdomain.
Marrero says the companies cannot yet disclose how long the fax server was left unsecured, the number of individuals who were affected or how the incident occurred because the incident is under review for the scope of the potential exposure. "I can confirm that the fax server was taken down immediately after we were notified," he says.
MedPharm Services and Meditab Software will comply with all required notification requirements under federal and state regulations, he adds.
"We are conducting a comprehensive security check of all our portals and services to make sure they are secured," Marrero says. "In addition, we will be implementing additional penetration testing as part of our development and testing methodology. Lastly, the management team has already conducted discussions to implement a bug bounty program so that security researchers can report any flaws they find directly and securely."
Marrerro adds: "We can assure all our customers and their patients that we will do everything in our power to make sure this never happens again."
Skipping the Basics
The apparent data exposure stemming from an unsecured fax server is troubling for a variety of reasons, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"I'm coming across increasingly more B2B online services organizations that are simply choosing not to implement basic information security controls on their servers," she says.
Often these vendors will skip implementing necessary controls "with the expressed opinion that they believe it is more important to 'be agile' than to perform long-time known and necessary due diligence data and systems security actions and implement the necessary protections," she says. "Too many are simply willing to gamble with their clients' data security that nothing will happen."
The security of fax servers, as well as fax machines, is often overlooked, she adds.
"I've had business owners, and many start-up managed services providers, tell me, 'No one uses faxes anymore. That is a waste of our time to put attention to fax security if they are not used.' They push forward with that flawed opinion, despite the advice of those of us who have actually been working, and continue to work with, a wide range of businesses of all sizes that regularly use fax transmissions as part of their business processing."
The alleged lack of a password to protect the fax server and alleged absence of encryption are particularly concerning, Herold says.
"The breached organizations in this case will likely never know how many others may have obtained all that sensitive patient data," she says. "The crooks using it for fraud and other crimes, and selling it to other criminals, are the only ones who will have any type of insights into the answer to that question."
Despite the move to electronic health records, as well as growing adoption of the Direct protocol for point-to-point encrypted healthcare messaging, many healthcare providers in the U.S., especially smaller entities, still rely on faxes for exchanging patient information and sending prescriptions to pharmacies.
The U.K. in January banned National Health System healthcare trusts from buying fax machines, and faxes will be phased out by March 31, 2020, in favor of more secure methods of communication, including secure email, according to a statement issues last December by Matt Hancock, the U.K's secretary of state for health and social care.
Privacy attorney David Holtzman of the security consultancy CynergisTek says the Meditab mishap is a prime example of the risks involving vendors.
"This incident has little to do with the prevalence in the use of fax machines in healthcare. The root cause of this event was that the cloud computing vendor did not secure their servers, resulting in exposing the data to the internet," he says. "This represents a fundamental failure to practice minimum information security practices. We have seen these incidents over and over again with cloud-based medical transcription vendors and healthcare billing services."
Other Vendor Mishaps
Many other vendors have also been implicated in security breaches involving misconfigured servers.
For instance, last November, the New Jersey state attorney general office signed a $200,000 settlement with Best Medical Transcription for a 2016 breach involving the misconfiguring a server that publicly exposed protected health information - including the names and medical diagnoses of more than 1,600 patients treated by Marlton, New Jersey-based Virtua Medical Group.
The New Jersey attorney general's office last April also signed a nearly $418,000 settlement with Virtua Medical Group.
The cases against Best Medical Transcription and Virtua Medical Group alleged violations of HIPAA and the New Jersey Consumer Fraud Act.
Healthcare providers cannot rely on a cloud computing vendors' claims they are "HIPAA compliant," Holtzman says.
"It's crucial for healthcare organizations to have a vendor security management program in place to verify that business associates are continuously safeguarding the information security of PHI and PII," he says. "Don't place a high level of trust in a certification that is the result of a one-and-done cybersecurity assessment."
Good vendor management practices call for a covered entity to work with their contractors to employ a risk-based strategy to assess the potential for compromise of data, Holtzman stresses. "Organizations must aggressively pursue getting answers to questions about how their e-PHI will be safeguarded."