While the largest volume of files was stored in the server of a Russian health center, the largest number of unsecure servers 819 were located in the United States, says David Sygula, senior cybersecurity analyst at CybelAngel.
These exposed servers are totally widespread, he says. There are some countries that are more secure than others. [While] we saw some smaller servers that were eye doctors, . some of the biggest ones belong to medical centers.
The research underscores that storage servers and cloud storage services continue to suffer from misconfiguration problems that expose them to data leaks and breaches. While the healthcare industry has seen its share of data breaches such as tens of millions of records stolen from medical debt collector American Medical Collection Agency (AMCA) in 2019 the threat of ransomware attack eclipsed run-of-the-mill data leaks in 2020.
Developers opinions of security and secure coding calling it a soul-withering chore and an insufferably boring procedural hinderance highlight that companies who want to harden their applications against attacks have a significant gap between those desires and getting their own developers on board, says Frank Nagle, a Harvard Business School professor and contributing author to the report analyzing the survey results. It appears that this shifting left has not fully pervaded the minds of FOSS developers, he says. Although we did not specifically ask whether developers think security is important, they likely understand that is a concern, but believe others should deal with it.
Guardsquare did not want to name and shame companies and nations that took the home-brew approach, but linking GPS location with identifying details turns a helpful healthcare application into a method of surveillance, says Grant Goodes, chief scientist at Guardsquare. As a mobile phone user, I generally only turn on my location information for mapping apps. I don t allow other apps, like shopping apps, know where I am, he says. If you combine GPS data and a passport number and send it to a server in an insecure manner, then I m very concerned.
While contact tracing has waned in importance as nations have either kept the pandemic under control or succumbed to pandemic fatigue and experienced spikes in infections, such applications could prove critical for future outbreaks. Appropriately securing the applications and guaranteeing certain levels of privacy will be key in convincing users to install the applications.