WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the CEO of TridentUSA Health Services today to ask about the company’s data security practices as they relate to Health Insurance Portability and Accountability Act (HIPAA) compliance. The letter comes in light of a report that MobileXUSA – an affiliate of TridentUSA Health Services – left an unencrypted server online, exposing the medical data of millions of Americans.

“It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required,” wrote Sen. Warner. “While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.”

According to recent reports, many unsecured picture archiving and communication servers (PACS) left the names, dates of birth, medical images, and medical procedures of more than one million Americans accessible to anyone with basic computer expertise. As part of the report, researchers identified 187 servers in the U.S. – including that of MobileXUSA – that were unprotected by passwords or basic security precautions.

In the letter to TridentUSA Health Services, Sen. Warner stressed the importance of protecting Americans’ privacy and personal health information. He also posed the following questions for TridentUSA Health Services:

1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
3. What are your identity and access management controls for IP-addresses and/or port filters?
4. Do you require VPN or SSL to communicate with your PACS?
5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
6. What are your server encryption practices?
7. Do you have an internal security team or do you outsource it?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that have led to the compromise of Americans’ personal information. Last week, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. He also introduced legislation earlier this year to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

Andrei Soran, CEO

TridentUSA Health Services

930 Ridgebrook Rd.

Sparks Glencoe, MD 21152

Dear Mr. Soran,

It has come to my attention that one of your affiliated companies, MobileXUSA, recently left an unencrypted server online, exposing sensitive medical images and health data of Americans. According to recent reporting, researchers found 13.7 million data sets and 303.1 million images in medical image storage systems have been freely accessible online with no authentication requirements to access or download the images.  This left the MRI’s, X-rays, and CT scans of millions of Americans exposed on the internet, not because of a breach, but simply because they were stored on 187 unprotected picture archiving and communication servers (PACS) including yours.  Additionally, along with the sensitive medical images, according to the research, your server displayed the names of more than a million patients. 

My colleagues and I in the Senate have been concerned about negligent cybersecurity practices in the health care space for a long time. Cybersecurity risks within the health care sector represent a growing threat, with 285 breaches reported between January and June of this year.  According to one report, there has been at least one healthcare-related data breach a day since 2016.  Just recently, the Senate Cybersecurity Caucus, of which I am a co-founder, convened a briefing that focused on healthcare and cybersecurity, particularly on the security of healthcare records which further highlighted the need for more robust cyber hygiene practices, and possibly additional standards.

It appears that the information held by MobileXUSA was made accessible due to sloppy cybersecurity practices— no software vulnerabilities were involved, and no explicit hacking was required. While HIPAA lays out some guidelines for secure data storage and transfer, it is not always clear who bears responsibility for securing the data and ensuring the use of proper controls. However, it is certainly the responsibility of companies like yours to control and secure sensitive medical data, maintain an audit trail of medical images, and to ensure the information is not publicly accessible.

To better understand how exactly millions of private medical scans were left open on the internet, I would appreciate your answers to the following questions:  

1. HIPAA requires audit trails for PACS, which stores the data in centralized auditing databases with multiple audit layers. What audit and monitoring tools do you use to analyze the data to remain HIPAA compliant? 
2. PAC server vulnerabilities are well known, however, their use of the DICOM protocol makes them easily accessible via the Internet. DICOM also enables PACS to communicate with neighboring systems in a medical or clinical process within a network of IP-enabled devices. Does your company require neighboring systems to comply with current standards and use access management controls? 
3. What are your identity and access management controls for IP-addresses and/or port filters?
4. Do you require VPN or SSL to communicate with your PACS?
5. What is the frequency of your vulnerability scans and HIPAA-compliant audits?
6. What are your server encryption practices?
7. Do you have an internal security team or do you outsource it?

It is critical that the privacy of the individual– including their personal health information – is appropriately protected.  I look forward to hearing your response by October 9th, 2019. Any further questions can be directed to Leisel Bogan in my office at Leisel_Bogan@warner.senate.gov

Sincerely,

###