Looming Crisis: Smart Medical Devices, Insecure Cloud



The leak of more than 300,000 self-administered blood tests from an obscure health services company may be an early sign of a looming data security crisis in the healthcare field.

Measured on the Richter Scale of data breaches, the recent leak of more than 300,000 self-administered blood tests barely registers - a mere 47GB of PDF files containing tests for an estimated 150,000 people. That’s a drop in the bucket next to breaches of companies like Anthem that yielded data on millions of customers.

However, there’s reason to look more deeply at the circumstances surrounding the hack of Patient Home Monitoring Corp., a provider of at-home medical testing. The combination of Internet-connected, smart medical devices and vulnerable, cloud-based storage and management servers is going to be a growing problem in the months and years ahead, as medical care is pushed out of clinical settings and into homes, enabled by more sophisticated medical diagnostic equipment.

The details of the latest breach are incomplete. Most of what we know comes from a MacKeeper blog post, which cites work by security researchers at the firm Kromtech.

In this case, Kromtech, whose researchers have made a career of sniffing out insecure cloud servers, discovered an Amazon S3 cloud-based storage repository with medical data in 316,363 PDF reports. Closer inspection revealed they were weekly blood test results for approximately 150,000 patients. Patient Home Monitoring provides an in-home testing program for individuals to relieve them of making weekly doctor’s office visits. The leaked documents contained plenty of personally identifying information and patient health information (PHI) covered by the United States’ HIPAA patient privacy law. Exposed data included the patient’s first and last names, doctor’s names, case management notes and blood test results.

Healthcare isn’t the only industry with exposure to risk from insecure cloud instances like Amazon S3 storage. Earlier this month, the NFL Players Association leaked sensitive information on 1,133 members including players and their agents. The data was exposed through a vulnerable ElasticSearch instance, Kromtech revealed. The data - including players’ mobile phone numbers and home addresses - was left publicly exposed to search engines like Shodan. “No hacking was involved and the data required no password or authentication,” the company said.

Also in October, researchers at the firm UpGuard reported that the consulting firm Accenture exposed 137 GB of information through four AWS S3 storage buckets to the public Internet. Those storage servers contained a wealth of sensitive data including authentication credentials, secret API data, digital certificates, decryption keys and Accenture customer information.

In addition, back in September, there was another leak—also due to insecure AWS S3 buckets—of sensitive data belonging to job applicants to TigerSwan, a North Carolina private consulting firm. Many of those applicants were employed by the U.S. Department of Defense or U.S. intelligence agencies.

There are factors that make the healthcare industry particularly vulnerable, such as federal incentives for clinical organizations to adopt technology like electronic medical records (EMR) and rapid innovation in wearable and implanted medical devices that can provide real-time patient monitoring. Add in the healthcare industry’s dire shortage of cyber security talent and you have a recipe for disaster: huge financial incentives to push applications and data to the cloud, but a lack of security expertise in securing cloud environments.

The result, if I had to guess, will be a small epidemic of breaches like the one at Patient Home Monitoring Corp. in the months and years ahead, as more smart medical devices hit the market and additional reams of patient data that must be properly secured are generated.

Paul Roberts is the Editor in Chief of The Security Ledger and the founder of The Security of Things Forum.

Paul Roberts

WHITEPAPERS

The Incident Responder's Field Guide

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.