How many have gone to the doctor for a routine check-up or to the dentist to have a cavity filled? Would you expect that your medical and dental information being housed on the server at the doctor or dentist’s office was protected?

As well, how often do we hear about private, medical or government classified data, being open and available on a server for either the public to access, or employees working for an organization having unlimited access to that data that the public or employees don’t need access to? I don’t think we hear of these issues in the news that often.
However, medical facilities, State and Federal agencies have indeed stored private and classified data on unprotected storage servers that is accessible to anyone looking in the right place.
Recently, the Oklahoma Department of Securities (ODS) found that out the hard way. They discovered that they had an unprotected storage server which contained classified FBI data which pertained to sensitive FBI investigations. It was three terabytes of data to be exact. The unprotected server was discovered by the cybersecurity research firm that is named UpGuard. Unfortunately, no password was needed to access the data on the storage server. The storage server data included emails, names, social security number’s and addresses.
July 2018, the Nashville Metro Public Health Department had also discovered they had an unprotected storage server. The server contained medical information on patients with HIV, their names, addresses, phone numbers and a plethora of other extremely private medical information, that should have all been protected under the HIPPA law. This storage server was on a shared sever that gave access to all the employees that worked for the Metro Public Health Department. The investigation could not provide details on whether or not the server had been accessed due to the server’s audit function not being initiated to determine how many times the data was possibly accessed.
In 2017, Amazon had a similar issue, where the “Amazon Web Services (AWS) S3 storage server bucket was configured for public access and not for the storage of classified military documents.” The public access configuration left dozens of terabytes of highly classified data for a non-specified military program completely exposed. Here are some tips to remember when storing data at rest (stored) or in flight (accessed and moved from one place to another).
• Use password protection
• Create a triage level of defense. If one thing goes wrong, having levels of defense (Defense -in- Depth) can isolate and protect the data.
• Use well-configure firewalls.
• Use standardized permissions which have been defined by names and departments.
Redport IA, LLC’s Director of Cybersecurity Operations Ms. Sue Gonzalez could not express the importance more for users to adhere to the above tips and tricks for avoiding an exposed storage server. Redport IA, LLC’s cybersecurity techs will insure that your enterprise storage infrastructure is well preserved and configured correctly so this does not happen to your organization.

By Dr. Randall Sylvertooth

Sources:
https://www.csoonline.com/article/3239069/security/top-secret-government-files-stored-without-password-protection-on-amazon-server.html
https://www.tennessean.com/story/news/2018/07/11/nashville-hiv-aids-patient-database-potential-breach-middle-tennessee/738653002/

For more information about Redport’s information assurance and cyber security services, visit www.redport-ia.com, email us at info@redport-ia.com, like us on Facebook, and follow us on Twitter@redport_ia.

Gaithersburg, MD, USA