Healthcare Breach Shines Spotlight on Third Party Security Risks
6 Reported Medical Centers, Hospitals in Indiana Have Patient Records Breached
Update: According to the Department of Health and Human Services, this third party data breach from Medical Informatics Engineering and NoMoreClipboard has now affected a whopping total of 3.9 million individuals, making it the fourth largest breach in 2015, according to Data Breach Today.
Update: Two more medical centers in the Midwest have reported breaches via the third party, NoMoreClipboard. Hutchinson Regional Medical Center in Hutchinson, Kansas (July 24) and Margaret Mary Health in Batesville, Indiana have reported breaches (July 23). The number of patients exposed was not disclosed.
A Fort Wayne, Indiana company, Medical Informatics Engineering, had one of their subsidiary companies, Nomoreclipboard, breached in early May. The number of patients records have not been disclosed to date, but the number of medical centers is extensive as is the potential number of affected patients.
According to HealthITSecurity, the following medical centers were affected: Concentra, Fort Wayne Neurological Center, Franciscan St. Francis Health Indianapolis, Gynecology Center, Inc. Fort Wayne, and Rochester Medical Group. South Bend Medical Foundation was also a victim, reported The South Bend Tribune.
“The affected data relating to individuals who used a NoMoreClipboard portal/personal health record may include an individuals’ name, home address, username, hashed password, security question and answer, email address, date of birth, health information, and Social Security number,” wrote NoMoreClipboard in its public statement.
One of the affected companies, Concentra, operates 300 medical centers in 40 states and serves over 25,000 patients a day, according to its own website.
The Problem with Using Social Security Numbers for Authentication and Records
This kind of personally-identifiable information means easy money for hackers selling this data on underground forums, and can lead to identity theft and digital ransom if patients reuse the same passwords. Most security and authentication experts call for some of this information, such as Social Security numbers, to not be used in digital identity verification. Yet, in healthcare, banking, and many industries, SSNs are in wide use.
Money magazine wrote in an article after the Sony Pictures breach last December about fraud potential with SSNs, and offered this insight:
With a Social Security number, fraudsters can apply for credit cards, mortgages and other lines of credit in your name, racking up debt on your tab. That can ruin your credit, making it difficult for you to get a new credit card, mortgage, or even a job. Identity thieves can also file fraudulent tax returns in your name, robbing you of your return and causing chaos at the IRS.
The efforts to digitize medical information for easier patient information sharing among healthcare providers, doctors, and medical staff are a legitimate endeavor. Anything to make healthcare more efficient, more forward-leaning to patients and medical professionals makes sense. The problem is, as always, how do you know the security of the third parties that you are connecting to? How do you know their risk posture, and how do you know when it changes?
Healthcare partners such as health information exchanges have legal requirements and Federal security guidelines to follow, but the evidence is mounting that the gaps in legalese and actual security are putting many healthcare clinics, hospitals, medical offices, and patients at risk.
The push for electronic health records (EHR), in particular, by the U.S. government and the healthcare industry have been ongoing for years. The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, provided $20 billion worth of incentives for digital technology companies to help the EHR cause.
NoMoreClipboard Graded an ‘F’ for Network security, ‘B’ for DNS Health
A quick look in to our collaborative security platform found notable issues with NoMoreClipboard.com’s network security, DNS health, and application security. Application security, in particular, showed the opportunity for SQL injections were possible.
“NoMoreClipboard appears to have an antiquated legacy system that makes use of PHP and Common Gateway Interface (CGI) functions,” said Alex Heid, Chief of Research at SecurityScorecard. “Upon querying