India unprepared to protect medical data: Researcher
This data can be used by hackers for making phishing attacks and social engineering even more effective.
Data security and data privacy are two of the most important concepts of the modern era. While the European Union has already formed stringent laws to protect users' data, others like the US and India are in the process of framing their own laws. Amid the given circumstances, a researcher has detailed how unprepared India to handle its medical data.
Security research Sai Krishna Kothapalli in a blog post on Medium has detailed how easy it is for anyone to access medical records of patients across states and hospitals, both government and private, in India. In a post titled “How screwed is India's healthcare data?”, Kothapalli explains how he was able to access medical records of patients in various hospitals in India such as Govt Head QTRS Hospital Krishnagiri, KGM Hospital Pvt Ltd, and Govt Hospital Ooty among others.
There are two ways using which data inside PACS (Picture Archiving and Communication System) or servers that store medical images can be accessed. First is by directly connecting with the PACS servers. “As on February 11, 2020, there are 305 PACS available online in India. Out of which 193 of them are available to connect without any kind of password or restriction,” wrote in a blog post adding, “All you need to know to access this data is which IP address these servers are running on and connect using any software which can retrieve and view DICOM files.”
Kothapalli was able to access more than 1,51,646 patient records, which contains personal information such as name, age, date of birth, patient ID, referring physician, performing physician, hospital or imaging centre, using this method as of 4th June 2020. He says that all of this information is left on the internet “unprotected with no password.”
The second method involves using a web interface. While these web interfaces ask for a username and a password, the security researcher was able to access patients' healthcare records of various public and government hospitals simply by typing admin:admin as username and password. What is scary is that the security researcher was not only able to view these records but he was also able to edit and even delete these records.
The researcher says that this data could be exploited by hackers for a variety of purposes. “These include publishing individual names and images to the detriment of a person's reputation; connecting the data with other Darknet sources to make phishing attacks and social engineering even more effective,” he wrote in the post.