• United States




Is your healthcare organization leaking data?

News Analysis
Apr 29, 201610 mins
CyberattacksData and Information SecurityHIPAA

Security researchers are finding HIPAA data online, is it yours?

stethoscope tablet healthcare data
Credit: Thinkstock

Never mind all the data breaches, Anthem, Target, OPM, etc. These were targeted attacks against good secure networks right? Well we know that Target was compromised via its HVAC vendor, some security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem’s breach. We also know that the Anthem attackers created a bogus domain name, “,” (based on WellPoint, the former name of Anthem) that may have been used in phishing-related attacks.

And OPM? According to CIO magazine, Michael Esser, OPM’s assistant inspector general for audits, told lawmakers that the agency’s “long history of systemic failures to properly manage its IT infrastructure” may have invited a pair of related hacking incidents that compromised more than 21 million current and former government employees’ personal information. Some major contributing factors to the OPM breach were decentralized governance frameworks and weak technical security controls like authentication and configuration management.

But what if your company is doing everything correctly and perhaps even doing well on compliance?

Unfortunately, it’s still possible to miss a single XP machine that has not been retired and have it cause a serious data leak. As reported in Wired magazine on June 25,2014, two security researchers found just that. In one case, a large health care organization was leaking information about 68,000 systems connected to its network.

As it turns out it was an Internet-connected XP machine that was not patchable for a known exploit. “Now we know all the targeted info and we know that systems that are publicly connected to the Internet are vulnerable to the exploit,” says Scott Erven, one of the researchers, who discussed their findings at the Shakacon conference in Hawaii. “We can exploit them with no user interaction then pivot directly at the medical devices that you want to attack.”

[ RELATED: Third-party vendors must abide by HIPAA privacy rules as well ]

The data leak that enabled hackers to locate vulnerable systems is the result of network administrators enabling Server Message Block, or SMB, on computers facing the Internet and configuring it in such a way that allows data to broadcast externally. SMB is a protocol commonly used by administrators to help quickly identify, locate and communicate with computers and equipment connected to an internal network. The researchers that discovered this hospitals huge data leakage, Erven, and Shawn Merdinger, went on to say that many healthcare organizations are sloppy in configuring their edge networks. They stated “they don’t take security seriously.”

Adding to the problem is the fact that HIPAA compliance alone won’t find these edge network data leakage issues unless you add comprehensive network discovery and scanning to the audit. This should be mandatory for HIPAA compliance but it’s not.  HIPAA is mostly concerned with privacy and some security but it does not address patient safety issues like this.

The fact that an infusion pump is easily accessible to a hacker, with little or no strong authentication puts patients at risk. For example, the researchers found drug infusion pumps—for delivering morphine drips, chemotherapy and antibiotics—that could be remotely manipulated to change dosages delivered to patients; Bluetooth-enabled defibrillators that could be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; and temperature settings on refrigerators storing blood and drugs that could be reset to cause spoilage.

This particular healthcare organization which was not identified employed more than 12,000 employees, 3,000 physicians, and cardiovascular and neuroscience institutions associated with it.

Among the systems exposed: 32 Pacemaker systems, 21 Anesthesiology systems, 488 Cardiology systems, 323 PACS systems, Telemetry systems, for infant abduction prevention.

A global healthcare issue

The researchers started running more tests and continued to find more clinics, hospitals and other medical organizations with data leakage issues. Erven stated “This is thousands of organizations that are leaking this information across the world.” 

Weak passwords like BigGuy21 were also found, obviously some senior managers password? In some cases default vendor passwords were still in use!

Cisco published a brief in 2014 titled data leakage worldwide: Common Risk and Mistakes Employees make. This study was not focused on healthcare but all corporate networks across the globe.

Cisco noted the following employee behaviors:

  •  Unauthorized application use: 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies’ data loss incidents.
  •  Misuse of corporate computers: 44 percent of employees share work devices with others without supervision.
  •  Unauthorized physical and network access: 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
  •  Remote worker security: 46 percent of employees admitted to transferring files between work and personal computers when working from home.
  •  Misuse of passwords: 18 percent of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.

The Cisco survey results revealed a variety of risky behaviors and a widespread disregard for security policies. One of the most noteworthy findings is the varying prevalence of particular behaviors in different parts of the world. For example:

  • China has such a high level of information technology abuse that IT decision makers audit computers for unauthorized content.
  • In Japan, 65 percent of end users do not adhere to the corporate IT policy all of the time, and the research indicates that end-user abuse of information technology is increasing.
  • End users in India tend to use email and instant messaging for personal use and change IT security settings on business computers so they can view unauthorized websites.
  • Employees in Brazil use business computers for personal communications and for activities such as downloading music.
  • End users in France have the lowest rate of IT policy compliance of all the countries surveyed, with only 16 percent of employees claiming that they adhere to security policies all the time.

Despite corporate policies directing employees to do the right thing, unauthorized applications were often being used, 78% employees accessed personal email from a business system, 70% of IT professionals believe that the use of unauthorized programs resulted in half of their companies data losses.

The survey continues to point out some very serious issues which contribute to data loss.

  • 46 percent of employees admitted to transferring files between work and personal computers when working from home.
  • More than 75 percent of employees do not use a privacy guard when working remotely in a public place. This number is much higher in Brazil, China, and India-countries that have the most reckless behavior.
  • 68 percent of people do not think about speaking softly on the phone when they are in public places outside of the office.
  • 13 percent of those who work from home admit that they cannot connect to their corporate networks, so they send business email to customers, partners, and co-workers via their personal email.

In many cases employees modified computer settings to get to an otherwise non accessible website and then stated “it’s none of the company’s business, they should respect my privacy”. Most companies cover the fact that corporate computers are not private systems and state that you are subject to monitoring in the corporate AUP, Acceptable Use Policy.

The Department of Health and Human Services’ Office for Civil Rights recently posted a revamped HIPAA compliance protocol on its website, noting, “The protocol has been updated to reflect the [HIPAA] Omnibus Final Rule. You may submit feedback about the audit protocol to OCR.”

OCR published the revamped protocol, along with some additional details about phase two of the HIPAA audit program, which is in the early stages of being rolled out.

This is another improvement but will it make a huge difference? HIPAA still suffers from being too vague. If you read the HIPAA protocol it states

“….Must reasonably safeguard or protect against reasonably anticipated threats…….”

It does not say to scan all internal and external networks for potential vulnerabilities with an emphasis on exploitable vulnerabilities. It does not say to make sure your network is not leaking data via SMB. It does not state to employ risk based threat modeling.  The following examples illustrate my point.


§164.306(a): Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part; and (4) Ensure compliance with this subpart by its workforce.


§164.530(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. (2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.

(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

So how can you help prevent data loss?

Besides having a full time staff member dedicated to security and compliance 100 percent of the time versus having the IT department do it when they have time. Make sure you provide continuous security awareness training that employees can relate to, make it personal. Show them how it not only protects the company but their banking and personal information wherever and whenever they use a computer.

Also make sure your governance framework is centralized and that you do continuous audits and risk assessments. Locate all critical data and monitor who is accessing it, when and where from.

DLP technologies can be helpful here. Foster a culture of openness and trust, a full time security role is your point of contact for all matters security and should be someone all employees trust with any and all security and privacy issues. Have auditors not only test your compliance but make sure it’s risk based and employs threat modeling as well. Have your IT, security and compliance staff get certified and become active members of ISSA, ISACA, InfraGard and FHIMA. This will provide ongoing training and dialog with likeminded professionals facing the same challenges your organization faces.

Finally, regular PEN testing from a reputable PEN tester is worth every penny, pay the cost for a PEN tester today or suffer an unplanned loss totaling much more. Also have a PEN test done as often as possible.

Mark Wolfgang, CEO of Shorebreak Security, says you should have continuous PEN testing performed, not once a year only. Depending on your business and its data criticality you can have varied levels of PEN testing to fit your business model. Monthly, weekly or daily options are available and the cost varies with the testing frequency.

hospital patient maternity Pixabay
hospital patient maternity Pixabay
hospital patient maternity Pixabay
hospital patient maternity Pixabay

Security and privacy is not an IT issue, it’s a serious business issue that must be championed by the CEO and executive leadership. We must continuously stress that all employees are responsible for security and privacy.

With the entire globe knocking (24×7) at your corporate internet door, everyone must step up to be gate keepers to protect our personal information, our company’s data and ultimately our jobs and our countries treasured freedom and assets. Remember we have to think of every possible and likely method of being compromised, while the thousands of hackers spread across the globe only need to choose one to get in.

Remember that compliance is static, legalistic and backward looking, while security is forward looking, dynamic and intelligent. Compliance is just the beginning of all the work we have to do.


A senior security and compliance specialist, George Grachis has over 25 years’ experience in the tech sector. Some of his experience includes over a decade supporting the Space Shuttle program for Computer Sciences Corporation & Grumman Aerospace, security management for CFE Federal Credit Union, IT auditing & consulting for Deloitte and serving as Chief Security Officer for Satcom Direct.

George holds both the CISSP, and CISA certifications. George received the ISSA fellow Designation in 2016 and is currently an active senior board member of ISSA. George has been interviewed by WFTV ABC TV and Fortune Magazine. When not working he enjoys spending time with family & friends, Big Brothers Big Sisters, Playing the Drums, motorcycling, fitness, and writing articles for his blog, Virtual CISO.

The opinions expressed in this blog are those of George Grachis and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.