Responsible Disclosures sent to over 140 health care organizations in the US
Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago.
What else can we do to get as much systems as possible off the public Internet?
Within the software space, we have used responsible disclosures for some time (for example with D-Link earlier this year), so the idea was to apply the same logic.
Still, following that idea wasn’t easy and straight forward, as a couple of concerns had to be addressed.
- What data shall we use to substantiate the fact that there is a data leak within the organization we address?
- How do we identify the organization, the right contacts there?
- What format and method of disclosure shall we use? And finally..
- What should we say in the disclosure so that it is seen as an information and not as a threat?
We worked along the questions, with the help of friends, partners and valuable insights of security professionals across the globe (thanks to Troy Hunt for the presentation about the topic: https://www.troyhunt.com/fixing-data-breaches-part-3-the-ease-of-disclosure/)
What data to use?
Simple answer: as little as possible, a single data set should be enough, and even this one needs to obscured as we are likely to transmit the information via unsecured channels.
We decided to use a single, current date set from each system for each provider and note it down. No, nothing was downloaded & stored or copied and pasted from these PACS. We don’t want that. Pencil and Paper are our tools here.
How to identify the system owners?
No question, we were not supposed to contact any person within the data to find out about their healthcare provider: “Hey, we got your data from an unsecured system on the Internet can you name me your radiologist?” wouldn’t work well. As the information contained in the PACS also indicates the name of healthcare providers and of physicians, this was our starting point.
We used a list of sites, Google of course, but also:
- Hipaaspace (https://www.hipaaspace.com/)
- MX-Toolbox (https://mxtoolbox.com/)
- Email Address Verification (https://verifyemailaddress.org & https://mailtester.com)
- ARIN Whois (https://whois.arin.net)
So, all the work was done using OSINT.
What should be the format?
Letters, Faxes, Emails? We discussed about the pros and cons, and we decided to use Email as the format and method to transmit the responsible disclosure. Email is fast but it is also the main inroad for attack attempts like phishing, so we had to scale down from fancy HTML to plain text. Having the RFC style & format in mind, we drafted some initial versions and circulated them among capable advisers.
What should we say?
Emails talking about data leaks are very often received as threats, “do this, pay that or we will release ..:”. Formulating this email to avoid that specific effect was a bit of a challenge. We kept it as simple and short as possible, suggested actions instead of demanding them (which is anyway nothing we could possibly do). That one took us a bit of work.
Finalization and Concerns
Our full notes were then transferred into a consolidated list of details (already obscured), becoming the source for our little email campaign. As security researchers, we know that some recipients will totally misunderstand our intentions and “shoot the messenger”. That reaction happened in the past, too often.
We will keep you posted…
Below is the final text which we sent out the afternoon on DEC 10th, 2019.
Sent to: email address
Personal Health Information Data Leak – Responsible Disclosure
Attention to
__________
__________
With this email, we want to inform you about an identified data leak likely affecting your organization. A server storing medical information of patients affiliated with your organization, a PACS server (Picture Archiving and Communication System), is connected to the public Internet without any protection. We believe this server is affiliated with your organization, and is configured in a way that allows free access to Personal Health Information of patients being treated in your facilities. We work for a team of computer security researchers, and are bringing this matter to your attention through the principles of RESPONSIBLE DISCLOSURE so you may address the exposure and protect your organization and patients.
To substantiate the fact, please see the obscured details of one single data set of a patient below.
Exam date & hour: __________ (exact timing shortened, but available on the system)
Patient name: __________ (obscured for privacy concerns and clear text transmission)
Patient DoB: __________ (shortened to year, if in the system)
Patient ID: __________ (as it appears on the system)
Exam ID: __________ (if and as it appears on the system)
Physician’s name: __________ (obscured, if and as it appears on the system)
Organization’s name: __________ (as identified during our research)
The network address of this system is the following IP address (and tcp-port): __________
In September 2019, we have informed Government authorities across the globe about the systems we identified. You receive this email as part of our efforts to alert more than one hundred organizations in the US affected by that type of data leak. We would like to suggest to you to take the necessary measures to secure the named PACS system. Potential measures can be, among others:
- Implement access control to the system
- Verify unnecessary port forwards
- Deploy VPN access
Please consult with your information security staff, your IT service provider and/or the relevant Government authorities in the US about the range and scope of measures possible in your specific setup.
Please note also:
- We recently conducted and published a research about this type of data leak, which lead to this disclosure. More information can be found here [1] and here [2].
- Our research paper describes ways how to verify this data leak for yourself [3].
- This email is written in plain text and contains no attachments.
- Should you require further information, please feel free to contact us. Within limits imposed by the situation, we will try to help. There is no demand for compensation related to this.
- This is a responsible disclosure; again, there is no demand of compensation for it or any intent to publish the data or details of your organization.
- This is not a cyber-attack, it is about systems connected to the public Internet without any protection at all, allowing uncontrolled access to personal health data.
With best regards
Greenbone AG
Dirk Schrader
(CISSP, CISM, ISO/IEC 27001 Practitioner)
Mobile: +49-
Office: +49-541-760278-0
http://www.greenbone.net/
Greenbone AG
Neumarkt 12
49074 Osnabrück, Germany
AG Osnabrück, HR B 202460
Managing Director: Dr. Jan-Oliver Wagner
[1] https://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internet
[2] https://www.warner.senate.gov/public/index.cfm/2019/9/warner-seeks-answers-in-light-of-negligent-cybersecurity-practices-by-health-care-company
[3] https://www.greenbone.net/wp-content/uploads/Confidential-patient-data-freely-accessible-on-the-internet_20190918.pdf