An investigation by Propublica and Bayerischer Rundfunk found 187 servers hosting more than 5,000,000 patients’ confidential medical records and scans (including a mix of Social Security numbers, home addresses and phone numbers, scans and images, and medical files) that were accessible by the public, “available to anyone with basic computer expertise.”
Many of these records were exposed by large commercial technology providers that service doctors’ offices and clinics, such as Mobilexusa, while others were operated by individual doctors, some of whom never returned Propublica’s calls or took any steps to tighten their security prior to publication of the investigation (Mobilexusa “tightened its security” after being alerted by Propublica).
The poor security has multiple causes: insurers write cybersecurity policies without adequate due diligence (in part because the penalties for breaches are generally laughable); medical software companies sell products that assume their customers will provide the security layer, while customers assume that the security comes from those products; the rush to establish electronic health records has yielded up a bonanza of insecure practices that are optimized for improving billings, not health or security; and plain old willful neglect.
To all this, I’d add the proliferation of binding arbitration “agreements” that doctors increasingly require patients to sign as a condition of receiving care (I refuse to sign these, which means that I sometimes have to drive to another city to see a specialist; for example, the only pain specialist I could find who did not require this is at USC’s pain clinic, an hour’s drive from my home). These agreements force you to surrender your right to full legal redress if your doctor or their administrative practices harm you: under these conditions, it’s “economically rational” for doctors to underinvest in security, because the penalties for failure are reduced to laughable wrist-slaps from tame “arbitrators” in the pay of the doctor.
We found that some systems used to archive medical images also lacked security precautions. Denver-based Offsite Image left open the names and other details of more than 340,000 human and veterinary records, including those of a large cat named “Marshmellow,” ProPublica found. An Offsite Image executive told ProPublica the company charges clients $50 for access to the site and then $1 per study. “Your data is safe and secure with us,” Offsite Image’s website says.
The company referred ProPublica to its tech consultant, who at first defended Offsite Image’s security practices and insisted that a password was needed to access patient records. The consultant, Matthew Nelms, then called a ProPublica reporter a day later and acknowledged Offsite Image’s servers had been accessible but were now fixed.
“We were just never even aware that there was a possibility that could even happen,” Nelms said.
Millions of Americans’ medical images and data are available on the Internet [Jack Gillum, Jeff Kao, and Jeff Larson/Arstechinca/ProPublica]
Of course they announced it at the end of the day on Friday, that’s what you do with bad news.
Iowa state court officials contracted with Coalfire to conduct “penetration tests” on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.
Eleanor Saitta’s (previously) 2016 essay “Coercion-Resistant Design” (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don’t back-door your product.
If you’re part of the maker community, you know Make:. Though Make: magazine is off the shelves as of this year, the eBooks and resources put out by Maker Media are still a fantastic resource for the new generation of tinkerers, hackers, and robotics geeks. If you’re in that tribe, listen up: they’ve released a […]
Life isn’t getting any less hectic, and pressure cookers are a quick, healthy solution for a growing number of kitchens. But if you thought your Instant Pot was versatile, there’s a major upgrade on the market: The Yedi 9-in-1 Total Package Instant Programmable Pressure Cooker. If you’ve somehow never used a pressure cooker before, try […]
When it comes to data analytics or deep learning, there’s one language behind the apps and algorithms that power the biggest companies of today: Python. The best part about this tool is that as versatile as it is, it’s actually fairly easy to learn. But mastery? For that, you need more than just a beginners’ […]