Many have lauded the digital transformation occurring in the healthcare sector. By modernizing its technology, the healthcare industry is moving away from inefficient methods of data exchange, such as faxing. The industry is also equipping its clinicians and business decision makers with more data than ever, thanks to new AI tools and advanced analytics models.
However, healthcare’s digital transformation isn’t without consequences — as devices and systems become more connected, the risk of exposing patient data increases. Last week, cybersecurity software vendor Censys released a report showing that there are more than 14,000 unique IP addresses across the globe exposing patients’ potentially sensitive medical information on the public internet.
Open ports and web interfaces meant for exchanging and viewing medical images account for 36% of these exposures, according to the report. These ports and web interfaces are used mainly for potentially sensitive medical images like ultrasounds, X-rays, CT scans and MRIs.
At a minimum, all users accessing these services should be required to authenticate, said Himaja Motheram, security researcher at Censys. Implementing multi-factor authentication can also provide an additional layer of security beyond just passwords, she added.
“Beyond this, DICOM services should not be exposed to the public internet whenever possible — it’s unnecessary for their functionality. Instead, organizations should use virtual private networks (VPNs) to create secure connections for authorized users,” Motheram declared.
EMR systems accounted for the second-largest exposure type at 28%, the report showed. When an EMR’s login interface gets exposed, a vast amount of patient data becomes at risk, including social security numbers and sensitive medical histories.
Epic accounts for more than 90% of the EMR exposures observed in Censys’ report.
It’s clear that many healthcare providers rely on Epic’s products to function — this reliance means that any vulnerabilities in Epic’s platform could have a disproportionate impact across numerous healthcare facilities, Motheram pointed out.
“Epic’s EMR does support multi-factor authentication — a rarity among EMRs — which represents a positive step toward enhancing security. However, there’s not enough evidence to show that this feature is consistently required for all users. Like any widely used critical infrastructure software vendor, Epic has an outsized responsibility to prioritize security in its products,” she stated.
The report also noted that the U.S. has much more publicly available healthcare applications than other countries. Nearly 7,000 of the 14,004 exposures Censys found are in the U.S.
The U.S. has a disproportionate number of exposures because its healthcare system is so geographically and organizationally decentralized, Motheram remarked.
“Unlike some countries with more centralized healthcare infrastructure, the U.S. has a huge mix of large multi-region hospital networks, medical schools and thousands of smaller specialized clinics, each with their own systems and digital infrastructure. This results in inconsistent security standards all around, making mitigation and outreach efforts more challenging in the event of a critical security issue,” she explained.
Photo: WhataWin, Getty Images
