Maitake.ai Logo

Simple Security Flaws

At the start of COVID, I had some time on my hands, and I started hearing about "Zoom Bombing" on the news.  I was very familiar with Zoom (as well as just about every other meeting/desktop-sharing tool out there), but I was surprised to learn that these meetings were being discovered by using Google searches.  Having spent many years in healthcare informatics, which included having the title of HIPAA Security Officer, I wondered how my industry was doing in terms of sensitive data being available through search engines.  After all, the technical security component of HIPAA, HITECH, had been in effect for 5 years or so. 

 

We weren't doing well.

 

I found a serious leak of sensitive patient data - a lot of patient data.  I notified the company about the loads of PHI (Protected Health Information) I stumbled on.  I also discovered a hospital that exposed a great deal of internal documentation, including information about personnel and security policies.  A little social engineering would have gone a long way with that information in the hands of a bad actor.  Additionally, I came across a number of small-scale, but worrisome, issues.  None of this took too much time or effort because I knew what healthcare data looked like, and I had used search operators, such as Google's advanced search operators for a long time.

 

Fast forward 5 and 1/2 years, and I was curious whether it had gotten any better, even though I no longer specialize strictly in healthcare.  It has improved, but it's not perfect.  With a little thought, I quickly came up with a search that located real patient claims in the HIPAA EDI 837 format.  While it was never my intention to be personally nosy, I had to web search some of the claim demographic information just enough to confirm the data was real.  It was.  In this case, some programmer, trying to get help with a technical problem, pasted real claim data on a support forum, and that technical issue, along with the sensitive claim data, became searchable.

 

This was not high-caliber OSINT.

 

I also discovered a state Department of Health Services that made many hundreds of email addresses available on the web.  That would be okay if it were directory for their organization, but these were not  .gov address.  These were @yahoo.com, @msn.com, and similar.  While this is not a HIPAA problem, it could be used as the basis for a phishing scam. With a little technical know-how, somebody could have taken the information from this entity far into dark waters.  Some of these email addresses were probably personal or from small businesses, and the click-through rate upon receiving an email (appearing to be from what should be a trusted source) could be high.

 

Certain professions we entrust with confidentiality. That trust should not be lost due to technology. That trust is what some people take advantage of.  Unless a person is explicitly advertising their data on the web to get a date or a job or whatever, they should have, we all should have, the expectation of privacy.  

 

 

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.