- Author: Joy Bapuly
- Editor: Srabani Mazumder
Synopsis: Last month, Dr. Lal Pathlab was in news for leaving a set of spreadsheets with sensitive patient data on the cloud without a password. Even as the legal framework around data protection in healthcare sorts itself out, the incident must trigger reflection in the healthcare industry.
Found By – Security expert Sami Toivonen (Cyber Risk & Governance | Cyber Awareness | Audits & Testing) on 09-10-2020.
According to Mr Sami, this also serves as an important reminder for all of us, even if we’re part of AWS’s(Amazon web Service) public success story and case study, businesses and individuals are not immune to data breaches and misconfigurations. To put it another way, any cloud service provider won’t take over people’s and businesses’ responsibility to secure the users and data (SaaS) or applications, networks and APIs (IaaS). It’s always the responsibility of the party involved!
History of these kinds of data breach in India is not so old.
In February 2020, a major data breach was reported from Breachcandy hospital, Mumbai. At that time, Naavi.org called it an “I Love You Moment”, recalling the incident in 2000 when the “I Love You” virus hit the Internet and prompted the Indian regulators into taking steps in passing the Information Technology Act 2000 (ITA 2000) – which was otherwise kept in cold storage in a Standing Committee.
In the Breach Candy incident, over 121 million medical records of Indian patients had been exposed due to lack of secured storage. The data inclusive of X-rays, Scans, patient history, National ID, date of birth etc. had been stored in the cloud and was accessible through the internet without a password.
The data was stored in what is referred to as the DICOM protocol, meant to be accessible only to registered medical practitioners attending the patient and the patient with appropriate user name and passwords; but was negligently made available publicly. This entire data set would be now in the Darkweb and could be exploited by criminals.
In the recent times, another major data breach has hit the security world in the form of Dr. Lal Pathlab. The Personal Data Protection Bill is still in the bill stage and again we need to fall back on the ITA 2000. At least now we need to see if CERT-IN conducts an enquiry and some Adjudicator take a suo moto enquiry on behalf of the affected patients or some sort of PIL gets filed in a High Court.
According to the information available, Dr. Lal PathLab, headquartered in New Delhi serves 70,000 patients on a daily basis and stores the medical diagnostic results on the Amazon Web services.
Dr. Lal PathLab had been storing sensitive patient data on Amazon Web Services (AWS); making the data accidentally accessible to all. It has come to be known that the data was stored on the unsecured cloud server for almost a year.
The data included patients’ booking details such as their name, address, phone number, email id, payment details, digital signature, and also the type of medical tests they had taken. The leaked data reportedly revealed novel coronavirus test details too.
Allegedly the data was stored without password protection, allowing just about anyone to access the data from anywhere they want.
Result: Major data breach occurred. It was not known for how long the data remained exposed having spreadsheets containing daily records of patients’ lab tests. Each spreadsheet contained respective patient’s name, address, gender, date of birth and cell number, as well as details of the test that the patient has undertaken, indicating or inferring a medical diagnosis or a specific health condition.
Some booking records contained additional remarks about the patient, such as if they had tested positive for the COVID-19 or otherwise.
Anyone can use the data in various purposes with the confidentiality of data being compromised severely; which indeed is illegal.
Recommendations: According to ISO 27001 Controls and Objectives,
- A.6.1.5
Confidentiality agreements
Control – Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified and regularly reviewed.
- A.6.1.8
Independent review of information security
Control – The organization’s approach towards managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals, or when significant changes to the security implementation occur.
- A.11.3
User responsibilities
Objective: To prevent unauthorized user access, and any sort of compromise or theft of information and information processing facilities.
A.11.3.1
Password use
Control – Users shall be required to follow good security practices in the selection and use of passwords.
A.11.3.2
Unattended user equipment
Control – Users shall ensure that unattended equipments have appropriate protection.
A.11.3.3
Clear desk and clear screen policy
Control – A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.
- A.10.10
Monitoring
Objective: To detect unauthorized information processing activities.
- A.8.2
During employment
Objective: To ensure that all employees, contractors and third-party users are aware of information security threats and concerns, their responsibilities and liabilities, and are well equipped to support organizational security policy in the course of their normal work, and also to reduce the risk of human error.
A.8.2.2
Information security awareness, education and training
Control – All employees of the organization and (where relevant) contractors and third-party users shall receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their respective job function.
- A.8.3
Termination or change of employment
Objective: To ensure that employees, contractors and third-party users exit an organization or change employment in an orderly manner.
References
https://www.linkedin.com/feed/update/urn:li:activity:6720084715908554752/