Some time ago, I had just taken over another clinic and was sorting out the website. There were a couple of digital patient medical forms being used. Apparently, they were using a plain unsecure form, so I decided to fill it out and test it to see what would happen.
When I did that, I noticed something peculiar.
The form I filled out created a PDF of the patient’s information and stored it on the website server.
That’s bad, but it was an easy problem to fix I thought. As long as the PDF was on the website server and not accessible on the website itself.
But as I continued to examine it, the situation got worse…
In the website browser, the pdf was listed as something like this: www.dentalclinic.com/patientform_1.pdf
What happens if I changed that "1" to a "5" or "10" or "200".
All of those worked.
All of those pdfs showed up.
I clicked on them. All of those were patients.
Let me clarify.
Every patient that had filled in the form on the clinic’s website, the clinic that they trusted, had their sensitive medical data on display for the entire world to see.
None of it was encrypted, none of it was hidden.
All of the patients' medical data was exposed.
Who could have found it?
Anyone could have downloaded it and kept it forever.
At that moment, I knew we were exposed to hacks, ransom attacks, extortion, privacy breaches (PIPEDA/HIPPA) and enough lawsuits to bankrupt everything the dentist worked for the past 20 years.
So that became somewhat of a priority.
We contacted the marketing company that had put in those forms and they said that it was nothing to worry about.
Is that the kind of laziness and negligence we should expect from the companies in charge of our patient data?
All those pdfs were wiped off the server and the forms were scrapped completely.
There was a lot of nervousness that day while we worked quickly to protect ourselves.
That was discovered by random chance and we are very lucky.
It was a lesson that was burned in my mind forever…when dealing with sensitive patient data, where are the leaks? How much are we working to protect their info (and ultimately our asses) from exposure.
Look at what happened with at least 322 big companies who through theft or compromise leaked 30,000 or more records. These are just the biggest leaks on record, usually with big, public companies or government agencies.
Companies like Yahoo, Facebook, Microsoft, Equifax (which turned out to be Chinese government operatives), Ashley Madison (massive pie in the face of the guys from there – most of the women are either automated robots or stooges paid by the company to get guys to buy the membership) and the US department of Veteran Affairs (lost computer), Lifelabs (!) and on and on.
Some of these are tech companies in charge of security or boast of their security (Facebook)!
According to the list (https://en.wikipedia.org/wiki/List_of_data_breaches) as of 2020, these data breaches will cost 2.1 trillion globally involving the exposure of 2.7 billion records, over 770 million email address and over 20 million passwords.
These companies didn't protect themselves and are mired in lawsuits and damaged reputation forever. But they are big companies with teams of lawyers on retainer.
We are dental clinics. Cousin Bob and his family law practice isn't going to be helpful fighting a data and privacy breach lawsuit from patients, the insurance company plus handle the data breach protocol, while trying to get back to where we were prior to the pandemic.
As we re-open clinics after the worst pandemic outbreak in a century online security is more important now than ever.
Some of the cyber security tech stocks have soared to all time highs during the pandemic.
It's easy to put our heads in the sand and ignore these details because the technology involved is confusing or complicated.
How do you evaluate risk?
Do you feel comfortable putting your livelihood on the line for something that costs very little to fix?
Considering what's at stake, have a quick look and see where the 5 critical security leaks are with digital patient forms and your website and what you can do about it.
If you seal up these easily preventable security holes, you can reduce or eliminate the kind of blowback you would get from any patient data leak.