Patricia Meibert

Responsible Disclosures sent to over 140 health care organizations in the US

Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago.

What else can we do to get as much systems as possible off the public Internet?

Within the software space, we have used responsible disclosures for some time (for example with D-Link earlier this year), so the idea was to apply the same logic.

Still, following that idea wasn’t easy and straight forward, as a couple of concerns had to be addressed.

  • What data shall we use to substantiate the fact that there is a data leak within the organization we address?
  • How do we identify the organization, the right contacts there?
  • What format and method of disclosure shall we use? And finally..
  • What should we say in the disclosure so that it is seen as an information and not as a threat?

We worked along the questions, with the help of friends, partners and valuable insights of security professionals across the globe (thanks to Troy Hunt for the presentation about the topic: https://www.troyhunt.com/fixing-data-breaches-part-3-the-ease-of-disclosure/)

What data to use?

Simple answer: as little as possible, a single data set should be enough, and even this one needs to obscured as we are likely to transmit the information via unsecured channels.

We decided to use a single, current date set from each system for each provider and note it down. No, nothing was downloaded & stored or copied and pasted from these PACS. We don’t want that. Pencil and Paper are our tools here.

How to identify the system owners?

No question, we were not supposed to contact any person within the data to find out about their healthcare provider: “Hey, we got your data from an unsecured system on the Internet can you name me your radiologist?” wouldn’t work well. As the information contained in the PACS also indicates the name of healthcare providers and of physicians, this was our starting point.

We used a list of sites, Google of course, but also:

So, all the work was done using OSINT.

What should be the format?

Letters, Faxes, Emails? We discussed about the pros and cons, and we decided to use Email as the format and method to transmit the responsible disclosure. Email is fast but it is also the main inroad for attack attempts like phishing, so we had to scale down from fancy HTML to plain text. Having the RFC style & format in mind, we drafted some initial versions and circulated them among capable advisers.

What should we say?

Emails talking about data leaks are very often received as threats, “do this, pay that or we will release ..:”. Formulating this email to avoid that specific effect was a bit of a challenge. We kept it as simple and short as possible, suggested actions instead of demanding them (which is anyway nothing we could possibly do). That one took us a bit of work.

Finalization and Concerns

Our full notes were then transferred into a consolidated list of details (already obscured), becoming the source for our little email campaign. As security researchers, we know that some recipients will totally misunderstand our intentions and “shoot the messenger”. That reaction happened in the past, too often.

We will keep you posted…

Below is the final text which we sent out the afternoon on DEC 10th, 2019.

Sent to: email address

Personal Health Information Data Leak – Responsible Disclosure

Attention to

__________

__________

With this email, we want to inform you about an identified data leak likely affecting your organization. A server storing medical information of patients affiliated with your organization, a PACS server (Picture Archiving and Communication System), is connected to the public Internet without any protection. We believe this server is affiliated with your organization, and is configured in a way that allows free access to Personal Health Information of patients being treated in your facilities. We work for a team of computer security researchers, and are bringing this matter to your attention through the principles of RESPONSIBLE DISCLOSURE so you may address the exposure and protect your organization and patients.

To substantiate the fact, please see the obscured details of one single data set of a patient below.

Exam date & hour: __________ (exact timing shortened, but available on the system)

Patient name: __________ (obscured for privacy concerns and clear text transmission)

Patient DoB: __________ (shortened to year, if in the system)

Patient ID: __________ (as it appears on the system)

Exam ID: __________ (if and as it appears on the system)

Physician’s name: __________ (obscured, if and as it appears on the system)

Organization’s name: __________ (as identified during our research)

The network address of this system is the following IP address (and tcp-port): __________

In September 2019, we have informed Government authorities across the globe about the systems we identified. You receive this email as part of our efforts to alert more than one hundred organizations in the US affected by that type of data leak. We would like to suggest to you to take the necessary measures to secure the named PACS system. Potential measures can be, among others:

  • Implement access control to the system
  • Verify unnecessary port forwards
  • Deploy VPN access

Please consult with your information security staff, your IT service provider and/or the relevant Government authorities in the US about the range and scope of measures possible in your specific setup.

Please note also:

  • We recently conducted and published a research about this type of data leak, which lead to this disclosure. More information can be found here [1] and here [2].
  • Our research paper describes ways how to verify this data leak for yourself [3].
  • This email is written in plain text and contains no attachments.
  • Should you require further information, please feel free to contact us. Within limits imposed by the situation, we will try to help. There is no demand for compensation related to this.
  • This is a responsible disclosure; again, there is no demand of compensation for it or any intent to publish the data or details of your organization.
  • This is not a cyber-attack, it is about systems connected to the public Internet without any protection at all, allowing uncontrolled access to personal health data.

With best regards

Greenbone AG
Dirk Schrader
(CISSP, CISM, ISO/IEC 27001 Practitioner)
Mobile: +49-
Office: +49-541-760278-0
http://www.greenbone.net/
Greenbone AG
Neumarkt 12
49074 Osnabrück, Germany
AG Osnabrück, HR B 202460
Managing Director: Dr. Jan-Oliver Wagner

[1] https://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internet

[2] https://www.warner.senate.gov/public/index.cfm/2019/9/warner-seeks-answers-in-light-of-negligent-cybersecurity-practices-by-health-care-company

[3] https://www.greenbone.net/wp-content/uploads/Confidential-patient-data-freely-accessible-on-the-internet_20190918.pdf

Contact Free Trial Buy Here Back to overview

 

/by
Patricia Meibert

5 reasons why telecoms providers should rely on sustainable cyber resilience

Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.

Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?

It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.

Here are Greenbone’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:

1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.

2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.

3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.

4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.

5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.

Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.

This includes vulnerability management.

Contact Free Trial Buy Here Back to overview
/by