Two security flaws at Chinese medical device operators put over 24 million patient records at risk in October. These medical data leaks reveal how cybersecurity practices and regulations lag behind as China’s healthtech industry plows ahead.
Cybersecurity monitoring site WizCase first noticed the leaks, which came from two separate sources. TechNode reviewed screenshots from the reported leaks and sought out further details from Dutch cybersecurity researcher Victor Gevers.
Sichuan Lianhao Technologies, a provider of internet of things medical solutions, left 24 million records exposed in the first leak. These included not only medical records, but also data that could directly identify patients and doctors, such as names, ID numbers, phone numbers, and medical information.
In a second leak, the medical department at China’s leading Tsinghua University left details of approximately 60,000 patients exposed. The data included data of birth, height, age. The server did not include identifiable information such as names and ID numbers.
Unprotected patient data
“The leaks were initially identified as servers with open DB ports which were connected to the open internet,” Avishai Efrat, a lead researcher at WizCase who was part of the team that disclosed the leaks, told TechNode.
DB ports are able to connect to MongoDB servers, a commonly used type of data storage architecture associated with many recent leaks. The server architecture is free to use and serves document-like data, rather than multimedia files.
“The server proved to be accessible via ElasticSearch ports with no authentication needed, meaning that anyone could access the data they hold by approaching the IP and port of each server’s ElasticSearch service,” Efrat said.
Elasticsearch is a search function added on top of the server model and “is commonly used for making big data sets easily searchable,” said researcher Victor Gerves.
Companies can bring the server online to make the data accessible to employees via ports. But steps are needed to safeguard access.
“Some platforms and technologies are meant to be kept away from the open internet,
Efrat said. “Databases like ElasticSearch were designed to be implemented in closed networks.”
It is common practice to prevent data from falling into the wrong hands through the use of shield servers that block certain entry ports, or by requiring authentication to gain access.
“Our advice is always protect servers connected to the internet by firewall blocking everything except port 443 (for HTTPS) or limit the access of the service with network filtering to only accept local connections,” Gevers said.
Tsinghua University was responsible for another leak of medical data back in September, Gevers said. The leak left millions of identifiable data from 109 hospitals in China’s Sichuan province available online, he added.
After comparing WizCase’s information to his own disclosure, Gevers told TechNode the two leaks came from separate servers. The security flaw in both cases relate to the ElasticSearch service.
The Beijing-based university refuted Gevers’s claim in September on Twitter, saying that it did not operate the server.
Booming industry, lax regulation
Companies are vying for a share of China’s trillion-dollar (in Chinese) healthcare industry with intelligent connected devices. Heavyweights like Alibaba and JD have joined the race.
A 2018 report from Tencent’s security arm found that 84.7% of hospitals provide online services via mobile or desktop apps, which typically come from third parties. By contrast, only 56.4% of these services include testing and consultation, the report said.
The use of third party software is common in the medical industry, and increases the probability of cyberattacks, Efrat said.
“It was reported about 17% of network attacks in hospitals come from medical devices,” Simun Hui, a Shanghai-based partner at law firm Baker Mckenzie, told TechNode. “77% of hospitals said that they are concerned about the security risk of medical equipment.”
A little over three-quarters of Chinese hospitals’ apps for patients have cybersecurity vulnerabilities. Patients use these programs for booking appointments and increasing access to medical services from home.
Ransomware attackers have targeted the Chinese medical sector since 2017, Tencent said, adding that ransomware makes up nearly one-third of all attacks in the country. These blackmailing attempts have become a danger to the physical well-being of patients, the experts told TechNode.
Hui said there is “a trend that hackers are no longer satisfied with extracting medical records and patient data. They are reaching out to the medical devices and threatening the safety of patients.”
Authorities are yet to release any regulations specifically covering medical data at healthtech providers. “So far we have not seen any mandatory laws or regulations being implemented specifically for medical device operators and vendors,” said Hui.
Data leaks meet small fines
The China Food and Drug Administration (CFDA) released Guiding Principles on the Technical Reviews of the Cybersecurity Registration of Medical Devices in 2017. They call for security reviews for all medical devices operators. Hui expects them to become mandatory in the future.
The Ministry of Public Security says it has conducted inspections on 27,000 companies, he added.
The 2017 Cybersecurity Law has led to fine against hospitals. Administrative fines are typically close to the minimum amount required by the law, which stipulates a range between RMB 10,000 ($1,440) and RMB 100,000, state local media reports
A Chongqing hospital received a RMB 10,000 Chongqing last May after its servers were completely shut down as they were held hostage by hackers (in Chinese). The hospital hadn’t separated data according to their sensitivity, and it was not adequately protected from hackers.
In March, hackers installed a backdoor in the servers of a plastic surgery hospital, and information about its patients was used to build a prostitution website (in Chinese). Authorities deemed the hospital liable for the hack and levied a RMB 10,000 fine.
Whilst, the Tencent report states cybersecurity is becoming a priority in the increasingly digitalized healthcare industry, there are plenty of examples that show how sloppy architecture is still prevalent in the healthcare industry.