Millions of patient data accessible for years: A wakeup-call for the healthcare sector?

A statement by Marc Schieder, CIO DRACOON

Regensburg, 18thSeptember 2019– According to research by the Bayerischer Rundfunk and the US investigative platform ProPublica, highly sensitive medical patient data from Germany and the USA has landed on unsecured servers. In other words, this means that uninvolved third parties had access to this information at any time. Data from millions of patients has been affected, including the first and last name of the affected persons, the date of birth, but also details of their treatment. Furthermore, high-resolution x-ray images can be found in the collection. This information seems to have been freely available on the internet for many years. In total, there are 16 million data records – 13,000 of which come from Germany. Globally an estimated 50 countries are affected by the leak. In Germany the majority of the data records are for patients form the Ingolstadt area and from Kempen (North Rhine-Westphalia).

This latest incident is alarming; however, it is not surprising. Since a current investigation of the IT security in the health care sector on behalf of the insurance industry showed that the topic of cyber security in practices and clinics is clearly being neglected. The investigation proved that in 20 out of 25 practices all users had administration rights and not a single interviewed practice regularly checks whether old administrator rights still exist. In addition, a massive backlog in terms of encryption was revealed. According to a test of the mail servers with the analysis tool Cysmo, sensitive patient data are strongly endangered, of the approx. 1,200 examined medical practices only 0.4 % were at a state-of-the-art-level recommended by the BSI regarding the supported encryption methods. All other physicians in private practice still rely on outdated and insecure standards for mail encryption. And this is exactly what makes it possible for third parties to intercept such a mail on the way between sender and recipient. In the case of the clinics surveyed, as much as 5% complied with the current BSI standard – but against the background of the particular sensitivity of the data, this figure is also alarming. The mail servers were tested by the PPI AG on behalf of the German Insurance Association (GDV). The study also showed that e-mail/password combinations of 60% of the clinics could already be found in the Darknet. In the medical practices this figure was 9%.

In order to ensure a constantly high level of data protection and security in an organization, clinics as well as medical practices, but also pharmacists and other health care servicers need to take their responsibility seriously when handling patient data. This includes using a maximum security encryption standard – this concerns email as well as enterprise filesharing solutions that are already being used by many clinics and practices. Ideally solutions in this sector offer client-side, openly available encryption. This means that the data is already encrypted at the end device, which guarantees maximum security. Healthcare companies should also react urgently to the issue of “permissions” to ensure that only the user who is authorized has access to data. In addition to a high security culture with regard to passwords, this also means that only those file exchange solutions are implemented that have a modern authorization concept with decentralized administration. Access rights must be easily and individually assigned to internal employees as well as external parties. This ensures, for example, that certain people only have read access, while others can also edit and delete data. This prevents unauthorized access to sensitive patient data. By now, clinics and other service providers in the healthcare sector should see the latest data leak as a warning and urgently review their IT security culture in the company – organizationally, but also to the extent that new solutions within the company meet the highest demands in terms of data security and protection.