In Washington at UW Medicine, a misconfigured database has left patient data exposed on the internet for several weeks resulted in a breach affecting 974,000 individuals.
On Dec. 26, 2018, UW Medicine expressed that they became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018.
The oversight was discovered by a patient who was conducting a Google search for their own name and found a file containing their information. The patient disclosed this to UW Medicine, a Seattle, Washington-based academic medical system that includes several hospitals and a large physician practice plan.
UW Medicine is the latest healthcare organization to report a breach involving misconfigured IT. Similar mishaps have been reported by others, including breaches that have resulted in enforcement actions by federal and state regulators.
According Keith Fricke, principle consultant at tw-Security, to alleviate incidents involving misconfigured IT, organizations should add a step to their change management processes – check off list of key security attributes to ensure they’re still intact after a change is completed.
The misconfigured database at UW Medicine was the result of a coding error when data was being moved onto a new server.
Due to the exposed files contained no Social Security numbers, patient financial information or medical records, the organization is not offering free credit or ID monitoring services.
The files contained protected health information that UW Medicine is legally required to track to. The exposed information included patients’ names, medical record numbers, and a description and purpose of the information shared for regulatory reporting purposes.
In addition, the database is used to keep track of the times UW Medicine shares patient health information that meets certain legal criteria. The most common reasons involve situations where UW Medicine is required by Washington state law to share patient information with public health authorities, law enforcement and Child Protective Services, the organization notes.
Another example is when a researcher receives approval to access medical records to determine whether a patient may be eligible for a research study or to recruit participants. IT is important for the researcher must document in the database when they access the medical record.
When UW Medicine learned of the exposure of the files to the internet, they took prompt steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites.
UW Medicine states that because Google had saved some of the files before Dec. 26, 2018, the institution worked with Google to remove the saved versions and prevent them from showing up in search results. By Jan. 10, 2019, the saved files were completely removed from Google’s servers.
Although UW Medicine states that the incident has been reported to the Department of Health and Human Services, the breach has not yet been posted on the HHS Office for Civil Rights HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Misconfigured databases, servers and other IT are a fairly common culprit in health data security incidents.
Some breaches involving misconfigurations have also resulted in hefty HIPAA settlements with OCR. For instance, earlier this month, OCR slapped Cottage Health, who runs several California-based hospitals, with a $3 million settlement for two breaches involving misconfigured IT that impacted a total of 62,500 individuals.
One of the Cottage Health breaches, which impacted more than 5,000 individuals, occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured electronic PHI on the internet.
Amid OCR’s findings during its investigation into the Cottage Health breaches, the agency says the entity failed to perform periodic technical and nontechnical evaluations in response to environmental or operational changes affecting the security of ePHI.
Last October, another incident reported a coding error in a portal of the Employee Retirement System of Texas, which administers retirement benefits, including health insurance, for state workers, inadvertently allowed some users to view the information of others, potentially exposing information on nearly 1.25 million of its members.
According to Tom Walsh, president of tw-Security, misconfiguration incidents often occur due to a change or an upgrade is only tested for user functionality, and security is not tested.
It is imperative to have information security integrated into all phases of the change control and configuration management, including request, review, approval and implementation. This will ensure that changes to the application or system do not introduce any additional vulnerabilities.
No Simple Answer
Sadly, there is no simple way to completely prevent misconfiguration mishaps, such as the one at UW Medicine, says Mark Johnson of the consultancy LBMC Information Security.
Moreover, no technology or process will 100 percent prevent human error. Although the steps will reduce the likelihood of it, but it will not eliminate it.
Mark Johnson of the consultancy LBMC Information Security. states that, most industry researchers predict that 80 percent of cloud data breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, rather than cloud provider vulnerabilities, by 2020.