Not very surprising to many in the InfoSec business but maybe an "eye opener" to the masses that this has made mainstream headlines in one of the most popular tv news shows in Germany.
“Das Erste” and the “NDR” (North German Broadcasting), public broadcastings services in Germany, have recently and repeatedly reported on information security issues with German doctor’s offices across all medical practices/disciplines
.
They’ve had help by C’T, an renowned by-weekly computer and technology magazine which is published via Heise publishing house.
In the most recent news bit the reporters have been shown an, almost easier than “script kiddie approach” (~easy) to access sensitive patient data.
Freely available internet security research services/tools make it shockingly easy to find relevant internet representations of doctor’s offices and other healthcare related web sites/services.
Sadly, internet security doesn’t seem to be a high priority here…
Because of all things malevolent minds could be interested in healthcare data is not so important obviously and not worth much, right?
Brahaha! Wrong and wrong again! Of course these type of data sets are in high demand for all kinds of illicit activities. Digging a little deeper in the dark web you can find the pricing for healthcare data ranges up to 2,000 USD per “patient”.
No need for an evil genius mind to figure out what can be done and in fact is surely done with such sensitive information. Probably on the top of the list, because the easiest way to “monetize” on such data, would be extortion's of unsuspecting patients whose only error was to have chosen an md, dentist, radiologist and so on that doesn’t give a rat’s ass about information security and OpSec (operational security). Excuse my French…
Using easily accessible and even for the not so tech savvy internet criminal almost intuitive to handle services in the web you can track down hundreds of internet-accessible, healthcare related hosts with vulnerabilities.
Without getting too deep into the details of such services and approaches you can maybe call these things “the google's for easy breachable and exploitable” hosts and services.
Yes, you read this right… it’s really as easy as typing an search request into your favorite internet search engine to find detailed information on the before outlined medical services with their weaknesses. On a higher sophistication level you can use their api (application programming interface) to pop your search into some attack scripts for a bunch of attacks on computers, databases, web services.
Using the highlevel InfoSec search term “Praxis”, which is the German word for doctors offices, you can ad hoc see hundreds of web sites/web services popping up on a map. From here you can narrow your search for instance for special services, remote login possibilities, all kinds of vulnerabilities and so on.
Of course doctor’s offices that get immediately red flagged with a bunch of vulnerabilities will have an really tight password policy at least, right? Brahaha! You already guessed it, with a high probability such offices will also have weak password policies with easy to guess passwords or brute forceable passwords so it doesn’t take long to remote access such boxes and explore further possibilities from such an bridge head. Once you’re “in” you can take yourself all the time you need to find “interesting” data in such an environment. Your health records in any given doctors office will have your standard pii (personal identifiable information) but also your illnesses, therapies, medication and so on.
There might be the one or the other health info you do not want anybody to know of, especially things that right off the bat could be used against you.
Maybe you wouldn’t like your employee learning about your possible addictions, mental problems or other things that would make him see you with different eyes, or your partner learning that you needed a penicillin shot to fight an std? You get the picture, beyond identity theft such information is indeed worth a lot to some and such data in the wrong hands could give you long lasting headaches and problems for decades.
Wouldn’t there be others, besides the “standard” extortionist, that have an elevated interest in such data?
Health insurances and the pharmaceutical industry come to mind at an instant, right?
Hmh… I’m not saying that there are health insurances or someone in the pharmaceutical industry buying such illegally obtained data just that there could be elevated interest in such data for obvious reasons. There are probably others that could put such data to some other use surely.
This is the thing with third party risks again…
There’s not much that an individual can do not to fall victim to such things but we can at least demand that there have to be consequences for those that handle people’s sensitive data without the needed care.
Imho it’s absolutely Ok to get loud about such things especially directed at elected representatives, medical chambers and so on.
On top of all that google has been collecting patient data where they can also. See the following article on this:
https://www.axios.com/google-health-records-privacy-505889c6-96a3-44fa-b729-af732e078a19.html
From this article:
"Through its partnerships with health care providers, Google can view tens of millions of patient records in at least three-quarters of states, the Wall Street Journal reports.
Why it matters: Some of these partnerships allow Google to access identifiable information about patients without their or their doctors' knowledge, raising fears about how this data may be used."
So, this isn't just about bad OpSec in the wild but also a classical case of masses of patients signing away the rights of other data collectors in health care that made deals with google to share personal identifiable information with google.
A project that made headlines in this regard was google's "project nightingale". See the following article from the verge on this:
So, was this news to you?
Have you started to think about all the places that “have” your data and have you asked yourself are they good custodians of your and others data?
Let me know what you think about this in the comments if you want!
Cheers!
Lucky