Searchers may Google your patient records

Hackers discover that search engines can help gain unauthorized access to private patient information on Internet-based files.

By Tyler Chin, AMNews staff. April 7, 2003.

Come ogle my patients' data.

Unwittingly, you may be rolling out the welcome mat so any hacker can use Google, the most popular Internet search engine, to walk into your Web-accessible system.

With this article   See related content

In March, Wired.com reported that hackers used Google as a shortcut to infiltrate computer networks that weren't properly secured. Instead of blindly surfing the Web for vulnerable computer networks, hackers can use a search engine to easily identify targets. That's because many databases use templates and canned phrases that Internet search engines pick up as they search and index the content posted on the Web.

In one particular instance, hackers typed into Google a phrase -- "select a database to view" -- that commonly appears in databases from FileMaker Inc. The search engine spat out more than 200 database listings.

While most of the databases were secure or contained mundane information, a few had sensitive information that hackers were able to access because users hadn't changed the passwords that came with the system.

For example, the hackers accessed a database containing personal and medical information of more than 5,000 neurosurgery patients at the Drexel University College of Medicine in Philadelphia by typing the name of the database product into the user ID and password fields.

The hackers did not alter or copy the medical school's database, which they accessed as part of an experiment to determine whether Google could be used as a hacking tool. Once they discovered that it could, they alerted Wired.com, which in turn contacted the medical school.

Drexel immediately shut down the database, which hadn't been sanctioned by the university, said spokeswoman Linda Roth. The university also reminded all employees of its policy against unauthorized databases and searched its network for other unsanctioned databases, Roth said.

David Krane, a spokesman for Google, said the search engine doesn't seek private, sensitive information. But it can capture such information when webmasters make mistakes in configuring databases or networks.

"Google, as a search engine, is a reflection of what has been published on the Web," Krane said. "If someone notices that there's information in the search engine that shouldn't be posted publicly, they can go online and ask Google to remove it," Krane said. Google will verify the authority of the person making the request, then remove the information.

No surprise

Security consultants were not surprised by how easily hackers gained access to Drexel's database.

It is standard practice for software -- and hardware -- companies to ship products with the security default set to product names. So, if you fail to change the factory defaults, anyone else who has the same database can access it by merely typing the name of the database or its maker, said Louis Carpenito, vice president of infosecurity business strategy at Symantec Corp., Marshfield, Mass.

"I don't see this as a Google problem," Carpenito said. "The problem is at the other end."

Physicians and others are vulnerable to hackers partly because it is so easy for anyone to create and put a database on the Internet, said Tom Walsh, an e-security consultant in the Overland Park, Kan., office of CTG HealthCare Solutions.

"We have people out there dabbling in and creating databases because it's easy and fun to do, but they aren't following the standard practices for developing that application that institutions with information technology departments would follow," Walsh said. "Technology professionals think about security as part of their initial program design. For non-computer professionals, security may be an afterthought," he said.

The first thing doctors should do when they buy technology products is set up security, which includes changing the security defaults, Walsh said. "They should ask vendors, 'Does the product come secure, or do I have to go in and secure it myself at a later time?' " he said. "If the latter's the case, what are the recommended security settings? Do they have recommended security settings?"

Carpenito also recommends that doctors periodically check to make sure that their systems haven't reverted back to the factory defaults. That can happen when the application has crashed and the vendor's help desk asks users to reinstall it.

Back to top.

Copyright 2003 American Medical Association. All rights reserved.