Hackers Are Breaking into Medical Databases to Protect Patient Data

Agencies such as the NIH reward the discovery of vulnerabilities in their computer systems—before criminals can exploit them.

Oct 1, 2018
Catherine Offord
andrzej krauze

The first few times Ben Sadeghipour hacked into a computer, it was to access the video games on his older brother’s desktop. “He would usually have a password on his computer, and I would try and guess his password,” Sadeghipour tells The Scientist. Sometimes he’d guess right. Other times, he wouldn’t. “So I got into learning about how to get into computers that were password protected,” he says. “At the time, I had no clue that what I was doing was considered hacking.”

The skills he picked up back then would become unexpectedly useful later in life. Sadeghipour now breaks into other people’s computer systems as a profession. He is one of thousands of so-called ethical hackers working for HackerOne, a company that provides services to institutions and businesses looking to test the security of their systems and identify vulnerabilities before criminals do.

Although HackerOne has already landed contracts with hundreds of companies—its clients include Yahoo and Airbnb—since its founding in 2012, it attracted particular attention in the health industry earlier this year thanks to a deal with the National Institutes of Health (NIH). The agency’s All of Us program, which aims to collect genetic and health data from 1 million people in the US to spur research in human biology and medicine, started enrolling volunteers in May. Although the database is still in development—researchers may be able to access the data as early as spring 2019—the program’s launch immediately prompted questions about privacy risks.

By their nature, personal health records offer easy routes to identity theft, ransom demands, or the illegal sale of medical information—and attacks are on the rise. In the summer of 2014, 1.3 million patients with health data stored by Montana’s Department of Public Health and Human Services were notified of a database breach. This past summer, Singapore announced that an attack on its central health system had compromised the data of 1.5 million people.

HackerOne’s approach to minimizing this risk is to deploy experts such as Sadeghipour to find vulnerabilities in the system before anyone else does. From a client’s perspective, “working with ethical hackers basically helps you improve your security capabilities by augmenting your existing processes with a wider pool of talent,” explains Adam Bacchus, director of program operations at HackerOne. “It acts almost like a neighborhood watch that helps you find and fix bugs before criminals can actually exploit them.” HackerOne won’t disclose which hackers are taking part in the All of Us project and does not allow its hackers to talk openly about projects they are working on.

You pound your head on the table and say, “My goodness, we should have caught that.”

—Kermit Littlefield, NIH

The NIH offers bounties—monetary rewards ranging from a few hundred to a few thousand dollars—for each vulnerability that any hacker in a group approved by HackerOne can find in the initial version of its All of Us database. Those discoveries complement the constant monitoring and security testing that the NIH is already running on a daily basis, explains Kermit Littlefield, information systems security officer for the All of Us program. “We take very seriously the trust our participants place in us,” he says. “This was just another way to ensure we’re safeguarding the data.”

Sadeghipour notes that there are some typical approaches to looking for holes. “It all comes down to understanding the application,” he says. Working out how different parts of a site share data, manage logins, and let users navigate around offers insights into how to trick a server into granting access to someone it shouldn’t, he explains. Many hackers speed through such tests with the help of customized software that can run scans and automate attacks on websites. During the projects he’s worked on, “there have been times where I have found people’s addresses, phone numbers, emails,” Sadeghipour says. “There’ve been times where I’ve got complete access to a company’s server or website.”

On finding such a vulnerability, a hacker submits a report explaining what he did via HackerOne, and the client’s security team works on fixing the problem. The NIH’s Littlefield tells The Scientist that, “in general, 95 percent [of cases] you pound your head on the table and say, ‘My goodness, we should have caught that.’ They’re straightforward fixes.” Low-level issues of this sort could include server misconfigurations that lead to a leak of information that isn’t particularly sensitive, but that a company wouldn’t necessarily want to be available on the internet, Bacchus explains. Littlefield would not discuss specific weaknesses regarding the All of Us database.

Occasionally, though, bugs can be more serious, offering a hacker the ability to download private data with a few tricks. A find like that could fetch a bounty of around $2,000, Littlefield says. It’s enough for a hacker to make a living—some reportedly make more than $200,000 a year chasing bounties—and the industry is experiencing a boost in popularity, with hackers such as Sadeghipour even creating programs to train new recruits and expand the community. But, as everyone working in data security emphasizes, ethical hacking is ultimately just an extra layer of protection. “No database is perfectly secure,” says Michael Szego, a clinical ethicist at the University of Toronto. “You can do the best that you can, but there will always be people trying to get in these things.”

For some companies and organizations, the data privacy solution consequently lies elsewhere. Some startups are now seeking to drastically reduce health databases’ hackability by incorporating blockchain—a technology originally implemented to keep track of the cryptocurrency bitcoin—to produce a supposedly fraud-proof record of every time a database is accessed (see “Data Rush,” here). Other efforts, such as the Personal Genome Project, are doing away with privacy altogether. “We actually make the data publicly available,” explains Szego: the Canadian branch of the project, with which he is affiliated, recently published an analysis of its first 56 genomes. Participants provide informed consent to share their data online after reviewing their health and genetic records with a specialist, he explains. “We don’t make any claims that our data will be secure.”