Data Breaches Caused by Misconfigured Servers Within a Healthcare Environment

Considering high-profile data breaches in the past decade, data security has become a critically important issue within organizations which handle user data online. Particularly for healthcare professionals, protecting confidential and sensitive information is a significant compliance requirement. The mass media is flooded with news headlines and articles about the latest organization to be hit with a large-scale data breach: all-too-familiar stories about the theft of an abundance of personally identifiable information, the negligence of the officials guilty of inadequately securing that data, and the actions to be taken by the victims.

Healthcare professionals and organizations have a duty to protect sensitive personal information and many kinds of electronic patient information. The U.S Department of Health and Human Services (HHS) have enforced legally binding legislation (the Health Insurance Portability and Accountability Act of 1996, or HIPAA) which adds several layers of additional protection to patient data, as well as a few additional controls including the Privacy Rule of 2000 and the Security Rule of 2003.

HIPAA compliance enforces specific administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information (ePHI). Many healthcare professionals choose to outsource this responsibility to a HIPAA compliant managed service provider (MSP), as there are a number of associated risks of keeping this responsibility in-house as a healthcare provider that specializes in patient welfare but may not necessariliy have the technical capabilities to provide HIPAA-compliant hosting infrastructure and IT services.

Often this inexperience in IT services can result in misconfigured servers or services which may leave an organization wide open to a data breach. Human error is the number one cause of data breaches, with some security specialists suggesting 85% of data breaches are caused unintentionally or inadvertently. These unintentionally caused predicaments can bring catastrophic consequences upon healthcare organizations and can lead to significant damage to an organization’s brand and reputation.

Data breaches within an environment required to be HIPAA-compliant have additional consequences to consider beyond this damage; there are specific guidelines that explain exactly not only what a data breach is, but also what a healthcare organization must do if they are affected.

The guidelines include:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been mitigated.

(Source: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)

If a data breach is confirmed and depending on the scale of the breach (usually defined by number of patients affected), then the healthcare practice must notify the patients affected, the media (if applicable), the HHS compliance secretary, and the business associate(s), as well as provide a burden of proof that these actions have been completed.

As cloud computing has continued to grow into the mainstream, healthcare practices are often choosing to take their business services into private and public cloud offerings. These IT systems often contain electronic patient data (ePHI) which must be adequately safeguarded. This necessitates that the cloud architecture is securely designed and that the technical support teams are on-board with all the HIPAA legislation requirements, which will ensure the cloud infrastructure is safeguarded.

Securing data can introduce significant complexities for system users who are both technical or non-technical. If the technical transition teams are not aware of the best practices needed to secure a cloud platform, or if no training program has been offered, there is a significant risk that misconfiguration may occur. Misconfiguration may include creation of storage buckets with public access, databases with insufficient security settings, firewall rules which allow public facing traffic, or a weak password policy and incomplete IAM configurations. These mistakes can leave the cloud infrastructure open to anyone with an internet connection.

The healthcare market is a lucrative target for hacking groups or individuals looking for exploitable infrastructure. If best practice is not followed and data is insufficiently secured, then there is a high probability that a data breach may occur. There are many examples which illustrate how easy this can happen when systems are misconfigured.

The first example is MedCall, a compensation and healthcare solution provider. It has been reported that on two occasions in 2018, MedCall neglected to secure electronic patient records on an AWS S3 storage bucket. The first incident happened September 2018, followed by another incident in October 2018. Evidence online suggests that patient confidential data was available to anyone (even with no password) including patients’ name, email address, postal address, phone numbers (fixed and cell), gender, date of birth, and Social Security Number.

Another example specifically relating to misconfigured servers is the Middleton Medical data breach, where 63,000 records were potentially exposed due to an incorrectly configured security setting on a radiology interface. The data included client ID numbers, date of birth, and confirmation that radiology had been received by the patient. There is little evidence to suggest data has been used maliciously; however, as a precaution, Middleton Medical decided to offer all those affected free identity theft recovery services. Both organizations faced fines from the U.S Department of Health and Human Services (HSS).

There are extensive numbers of data breaches related to healthcare organizations, and some experts argue that health data breaches are an increasing trend because electronic patient data is seen as a valuable asset. Security organizations and hacking teams are consistently scanning publicly facing internet address spaces, looking for security holes to be exploited. Much of this risk can be mitigated if an organization decides to outsource its IT operations to a HIPAA compliant data center.

Misconfigured servers can be a costly mistake and show prospective clients that there is a lack of care when securing digital assets. Outsourcing can give the healthcare provider the added security, as the responsibility is shared with a third party business associate who specializes in compliance. The BA will be liable for any possible breaches of healthcare data and records.

The MSP tech teams will have extensive experience in supporting and providing HIPAA compliant infrastructure and services to healthcare professionals. This infrastructure will be audited for compliance, giving clients peace of mind when storing electronic patient records on information systems. It will include features such as encryption at rest and in transit, security policies for personnel and infrastructure, a full backup and data protection suite, and disaster recovery capabilities.

A business associate’s agreement is a mandatory part of HIPAA compliance which demands that the provider and the healthcare organizations draw up a list of roles and responsibilities. The BAA clearly defines each organization’s duties so there is no lack of clarity. In addition, many service providers allow healthcare organizations to leverage additional services such as server management, privacy controls, and security, such as anti-virus and malware protection.