[BreachExchange] Intimate Details on Healthcare Workers Exposed as Cloud Security Lags

Destry Winant destry at riskbasedsecurity.com
Thu Oct 10 01:18:40 EDT 2019


https://threatpost.com/intimate-details-healthcare-workers-exposed-cloud-security/149007/

Ponemon survey data shows that only a third of IT staff say they take
a security-first approach to data storage in the cloud.

Yet another non-password protected cloud database has come to light,
this time exposing a raft of highly personal information on healthcare
workers and traveling nurses – including drug tests and arrest
records. The incident showcases the unfortunate reality that cloud
data security remains a persistent challenge for businesses of all
kinds.

Jeremiah Fowler, a researcher at Security Discovery, found the
database, which he said contains 957,000 records from Freedom
Healthcare Staffing in Aurora, Colo. Included was “intimate” details
on employees, various internal communications, job seeker and
recruiter data, IP addresses, ports, pathways and storage data that
cybercriminals could exploit to move deeper into the network.

The database was set to be publicly accessible, and anyone could edit,
download or delete data without administrative credentials, he said.
That’s worrying given the sensitive nature of the information he
found.

“In a sampling of the documents I read for verification purposes, I
saw failed drug tests (without prescriptions for those drugs), a nurse
being accused of taking a patient’s painkillers, complaints about a
hospital’s illegal interference in nurses trying to unionize and many
more complicated situations,” he wrote in a posting on Tuesday.

“In one document, a manager referenced a news article of a nurse who
was arrested and then instructed an employee to check if that nurse’s
name was in their system or had ever worked for Freedom Healthcare
Staffing. These notes were so detailed that several records I saw even
contained Social Security Numbers in plain text.”

Freedom Healthcare Staffing has since secured the database after
Fowler notified the company of the issue.

Cloud Security Continues to Lag

As cloud misconfigurations like the one at Freedom Healthcare Staffing
continue to make headlines, enterprise views on cloud security have
yet to catch up. Research from the Ponemon Institute released on
Tuesday shows that although nearly half (48%) of corporate data is
stored in the cloud, only a third (32 percent) of organizations admit
they employ a security-first approach to that data storage.

Surveying over 3,000 IT and IT security practitioners in Australia,
Brazil, France, Germany, India Japan, the United Kingdom and the
United States, the data shows that nearly half (48 percent) of
organizations have a multi-cloud strategy, with Amazon Web Services
(AWS), Microsoft Azure and IBM being the top three. The study found
that, on average, organizations use three different cloud service
providers, and more than a quarter (28 percent) are using four or
more.

The research also found somewhat schizophrenic attitudes towards
security in the cloud. For instance, nearly half of survey respondents
(46 percent) believe that storing consumer data in the cloud makes
them more of a security risk; and more than half (56 percent) also
noted that it poses a compliance risk. However, only 23 percent say
security is a factor in selecting a cloud provider.

Perhaps most worryingly, organizations aren’t embracing the shared
responsibility model, which dictates that cloud providers should offer
secure facilities, but it’s up to the customers to make use of the
security mechanisms available. The survey found that 35 percent of
organizations believe that cloud service providers bear the most
responsibility for sensitive data in the cloud; ahead of shared
responsibility (33 percent); and themselves (31 percent).

“With businesses increasingly looking to use multiple cloud platforms
and providers, it’s vital they understand what data is being stored
and where,” said Larry Ponemon, chairman and founder of the Ponemon
Institute. “Not knowing this information makes it essentially
impossible to protect the most sensitive data –ultimately leaving
these organizations at risk. We’d encourage all companies to take
responsibility for understanding where their data sits to ensure it’s
safe and secure.”

Cloud Targeting

Meanwhile, organizations are also finding their cloud-housed data
under active attack, underscoring even further the need for better
security hygiene. For instance, a primary health organization (PHO) in
New Zealand, Tū Ora Compass Health, yesterday disclosed a security
breach that led to the exposure of medical and personally identifiable
information (PII) of roughly 1 million people.

According to Ministry of Health officials, there were four intrusions,
all by different threat actors. Two were “hacktivists” and two were
“more sophisticated…and that’s the extent of the information we have,”
they said in a press conference.

“Amassing hundreds of thousands of patient records in a single
database increases the risk of compromising patient data should a
breach occur,” said Paul Edon, senior director (EMEA) at cybersecurity
company Tripwire, in an emailed statement. “To ensure patients’ care
and safety, healthcare organizations must go beyond simply being
compliant with security frameworks and ensure that their environment
is duly protected against unauthorized changes and misconfigurations
which can make their environment susceptible to a cyber-attack.”


More information about the BreachExchange mailing list