red team case study medication corporation

I worked for a midsided medication corporation. Think fast casual as a medical institution. They used an in house EMR (Electronic Medical Records), sometimes referred to as EHR (Electronic Health Records) as opposed to say Epic so some of these recommendations and observations may not be directly applicable to your situation or organizations needs.

Every office had at least one server rack, some offices had more. In many of the offices servers are accessible by any and all, staff, patients, clients, delivery persons and contractors. Some offices had the server behind a digitally locked closet, this is my recommendation should on site servers be necessary on site. I would also recommend the location of the server but not the access code be clearly outlined in the runbook and wiki. Ideally the locations of all the in-house servers would also be documented and maintained by a member of the IT staff. It is a very bad situation to need to know where a physical server is but be in a position where everyone in the office has been there for less 2 weeks, they do not know what or where the server is and they do not care. Regular audits of physical resources need to be done at least quarterly if not monthly.

Clients USB drives and phones being plugged into the administrative assistant work computers. This is pretty obviously a bad idea and easy to avoid. USB drives, phones, and even charging cables can be more than what they seem. They can be used to upload malware or spyware to a computer they have been plugged into without you even knowing something has happened. I suggest that USB charging ports for phone and other devices be available in the lobby and have training regarding the danger of using an unknown devices. As for patients medical records, a USB of unknown origin should never be placed into a system, do not accept medical records on USB and do not give them out over USB, unless you are making them in house. SInce all offices are equipped with scanners; google is free and can tell you where the closest copy shop is. If the person in question truly does have medical records they need transferred they are more than welcome to bring in the physical documents. This also avoids the risk of macros from a text document that has been transferred via email. My personal recommendation is that medical records be handled by a decentralized medical records department that ideally is responsible for getting the medical records from other facilities, as getting records from a patient and not an institution runs the risk of having been altered by the patient or a 3rd party.

Open wifi network being used to transmit health data. If the system is down, I should not be able to access it from an open wifi. The in house software such as billing and EMR should never be accessible outside of an already specified bank of reserved IPs as used by the internal organization.

Cameras at every workstation. During my time there video meetings were something some but not all staff participated in. If you want cameras to be available on all work stations they must be equipped with a webcam cover. There is no need to have a camera at every administrative staffs desk and certainly not in every providers exam room. How am I supposed to feel safe undressing or discussing private health issues in front of a camera that is accessible to the general internet. Some providers adopted a webcam cover but it was not in practice across the organization.

The administrative assistants when not staffed at the front desk were staffed in open floor office plans with overcrowding. Phone farm at its finest. Some locations not temperature controlled getting to be above 80, this is in San Francisco, mind you. The way the phone staff were placed it was easy to overhear and see other patients charts and see Protected Health Information (PHI); an example of institutionalized HIPAA violations.

Password sharing. This is just bad, you hate to see it. Everyone should know that passwords are personal, not to be shared, this should not be an institutionalized practice. Perhaps there are systems that are per office, but that should be handled by a secrets manager of some kind and never written down on post-it note or in spreadsheet! A password needs to be encrypted when being transferred or that kind of negates the security of it.

USER NAME SHARING!!! I mean I don’t even know where to start with this. This is not something that happens for any reason. If for some reason user control is by office not by individual user, this again should be handled with a secrets manager, that is intern managed by a member of the IT department if not security.

Gsuit not secured. I was able to access not only the company wiki but access the parts of the services that had patient information from my personal computers, cellphone and from open networks.

Inability to transfer medical records electronically. I mentioned this a bit earlier but it seems like a massive oversight for a company that wants to be considered cutting edge. There was an efax with an efax queue. I was told to email PHI with my company g suite email; while email is considered to be HIPAA compliant being able to access my company gmail from wherever is an issue. I or anyone who has access to the computer or phone I’m logged into now has access to the PHI that I sent via email. No disk drives, inability to process patient data in the form of DVD or CD, most imaging data CT, MRI, Xray are stored on DVD and occasionally CD. This too poses a security risk for getting records from patients. This is again why I recommend a department dedicated to medical records, as having disk drives in the office poses the same security risk as outlined in the section about USBs.

No privacy screens. Depending on the placement of the desks, the screen may be viewable from. It's a negligible expense, I would recommend this for the monitors in the provider rooms as well.

Computers unlocked left with patients/clients. If the workstation is unattended it needs to automatically lock, or have quick keys be a part of the workflow. The offices are supposed to be staffed in a way that has 2 individuals staffed at the front desk, due to staffing issues this isn’t always the case. All it takes is one curious patient to violate HIPAA. Even more of a concern from a provider perspective as they have the ability to edit and create medical records.

No consistency with identity verification over the phones: call and say a name and birthdate, and you have access to a users full medical records. Identity needs to be verified more consistently, ideally with an address or phone number as well. The phone lines were not integrated with the computer system at the time I was investigating this. From my understanding most phone farms have the system integrated to pull up with user data associated with the inbound phone number. This would not only save time from an administrative perspective but would also help confirm the person calling is who they say they are. I saw numerous examples of someone attempting to access medical records they did not have the legally required written consent to do so. Not only is this a violation of HIPAA but it potentially puts the exposed patient as risk. There is a reason that PHI (Protected Health Information) is protected.

Credit card information stored and unencrypted, accessible by any administrative staff. In combination with a billing address stored on file, it seems like a really easy way for a disgruntled employee to get away with a lot of credit card fraud. Credit card information should always be stored encrypted and not something that is accessible unless it is needed to make a payment.

Flowers delivered to my workstation, by the delivery person. Who was the delivery person? An actual delivery person? A stalker I talked to on the phone? A delivery in the office should not go to the person's work station it must go to the break room or front desk.

Administrative assistant staff not trained in user control / validation. Meaning if someone called with an issue about logging into their account or needing assistance with using the app the staff was not able to assist in that way. Client password reset not done using a link to email, was usually set to something like love1234 and did not require an update by the user. My suggestion is that there be video tutorials online or have administrative staff specifically trained on helping clients access their account.

Database inputs not sanitized! This is a no brainer, if your app breaks from having a semicolon input, say from the address you were told to manually input into the database; it is not ready to be used! Same goes with input validation errors being surpassed by using the inspect tool. Addresses not validated either.

Administrative staff not trained on preventing social engineering causing HIPAA violations.

No digital medical records release, this again is a compliance issue, and an easy way to get access to records when social engineering isn’t something staff are trained against.

Credit where credit is due: while I was employed there they did implement 2 things I would recommend for all organizations. Password manager & 2FA.

In addition to the security flaws I observed the following is an outline of my suggestions regarding sex and gender compliance within the EMR system.

Initially the company reached out to me as they needed expertise in compliance regarding transgender related care. Rumor had it their contract with a FAANG for on campus offices relied on their supposed transgender care team.

As you should know, all US citizens can be legally X gender as opposed to only F or M on their passport. Many EMR do not support this, such as Quanum, causing issues with direct patient care, something I have personally experienced. Many states including California have had the option to have X as the gender marker on a state ID or drivers license, prior to the US passport, so choosing not to support this in a system or claiming your database relies on having the F or M, is willfully ignorant and just bad database design.

Sex and gender are legal categories and there are many cases where a person may not have full alignment with their identity and their identifying documents. This is a problem many transgender and intersex individuals face but is could happen to anyone due to a bureaucratic error. Legal sex and gender documentation include Social security, State ID or Driver’s License, Birth Certificate and Passport. Some other documents may include legal sex or gender such as marriage or domestic partner documents but are not to be used to determine sex or gender of an individual.

Contrary to popular belief, the sex or gender marker with an insurance company is not a legal standard. Despite being a legal classification there is no standard by which insurance must comply. Depending on the individual insurance company the sex or gender marker may control what is or is not covered. This causes issues with medical issues being documented consistently and can cause erroneous rejections of valid insurance claims.

Bottom line; having a medical system that does not support transgender and intersex individuals is a legal complyance issue. Your system is between one and four nines from a high availability perspective, and that’s not really a good look when the client is actual people.

It is up to your organization to decide what legal standard you would like to use for sex and gender documentation. It is imperative that you are clear with your documentation standards of what it means when sex or gender is an item in your database. Pronouns, sex and gender are not the same thing and can not be used interchangeably.