In February 2019, 2.7 million phone calls to Swedish healthcare provider 1177 Vårdguiden were discovered to have been exposed online. In this paper, we posit that incidents like the 1177 case can be explained through a sociotechnical model of informal, formal and technical domains where cybersecurity has failed. In the paper, we outline the events of the 1177 leak, we show how informal, formal and technical components of cybersecurity failed, and how the model could be used before, during and after incidents.
With the increasing digitization and shift to e-government services, instances where personal data are processed are multiplying. Such processing needs to be lawful and secure, maintaining the confidentiality, integrity and availability of the information, for citizens to trust the services provided. The cybersecurity of the providers of such services is at the center of maintaining that trust.
One socio-technical model, based on the work of
The paper is structured as follows: Section 2 provides a short healthcare background and outlines the 1177 case. Section 3 applies the model to the case. Section 4 concludes and presents future research.
The case we look at in this paper comes from the healthcare industry in Sweden. Healthcare is one of seven essential services identified in the NIS Directive as an area where the European Union member states shall work together towards increasing the security of network and information systems.
Healthcare in Sweden is free, and the 10 million citizens have a healthcare hotline as first line triage. They call 1177 if they need to discuss their health problems with a nurse and to get advice on whether they need to see a doctor or not. These phone calls are recorded and stored, forming part of the electronic medical records.
The 1177 case is an incident where 2.7 million recorded healthcare related phone calls leaked online while being stored on a network attached storage device at a subcontractor.
When
On February 18, 2019, the Swedish IT newspaper “Computer Sweden” published a
story where they showed that 2.7 million recorded healthcare phone calls were leaked
online
The server was taken offline before the story was published so there would be no risk that readers would start to download the available phone calls. 2.3
The data breach mainly involved three regions using “Healthhelp”1, which in turn used
“Healthcall”, that used a cloud-based call center solution provided by “Noise
Integrate”. In the first few days, the CEO of “Noise Integrate” was interviewed in Dagen
“This server is a so-called network-attached storage, NAS... You could say it is an internal hard drive which is not password protected since you can only reach it through the computer to which it is connected... We don't know when it happened, but probably during patching ... someone simply connected an internet cable to the hard drive. Then it got an ip-address... Regular people can't do it, but those with skills could perform a special commando move and sneak in through the back door... We do monitor our equipment for intrusions and so on... But this was like a personal home hard drive, you don't monitor that for intrusions, since you cannot access it... For some reason it got its own little cable to the internet. It would not have mattered if you did not know the server had this problem, but Computer Sweden found out.... These kinds of incidents happen because you have a lot of people around, not because someone deliberately is messing with you… We need to review our routines …We have checklists for all other systems, but not for this hard drive. Someone probably though it too basic. ”2 2.4
In the first two days after the initial publication, “Healthhelp”, “Healthcall” and “Noise Integrate” were acknowledging the leak and said that it was a mistake due to human factors. On the third day they changed the language on their web pages and instead of “leak” they started to talk about dataintrång (English: unauthorized data access). In line with this, they filed a police report against the journalist and the editor-in-chief at the newspaper that broke the story, claiming they had committed the crime dataintrång.
A week after the incident, on February 27, the Swedish Police and the Swedish Prosecution Authority started to investigate if “Healthhelp” may have committed a crime against healthcare “professional secrecy”, by putting the records online. In parallel, there is an investigation by the Swedish Data Protection Authority if there has been a GDPR breach, and an investigation by Region Stockholm, on whether their agreements with “Healthhelp” were specific enough, with regards to security requirements. These four investigations are still ongoing at the time of writing. 1 For the purposes of this paper, the names of the companies involved have been changed in the main body of the paper.
2 Translations from Swedish to English by the authors, all errors are our own. 2.5
First, we look at the server containing 170.000 hours of recorded sensitive calls, which was put online without any protection. Search engines like Shodan, ZoomEye and others have indexed the server, which is a Ubuntu Linux server that has been running since 2013. “Noise Integrate” have said that the hardware is a small network attached storage, NAS. In 2013, “Noise Integrate” install OwnCloud, a file sharing application, and add a Favicon icon, indicating a possible web server experiment. In 2015, a web interface for administration of the NAS is downloaded and unzipped. In 2016, the folder HTML was last changed, indicating a possible web server. Folders containing the phone calls synced here from the call center software are added in 2017. On the day the leak was published, they were running Apache 2.4.7, with 23 known vulnerabilities, not updated in the past five years.
After the breach was revealed, “Noise Integrate” looked at the web server access log. They claim logs are missing for the years 2016 to 2018, and that all accesses logged were made between February 15 and 18, 2019.
The media reported that, since only 55 phone calls were downloaded, the risk is basically over. However, there has been no mention of other logs, and ways of getting the phone calls out of the server, such as rsync, scp, ftp, webdav.
The server had multiple severe vulnerabilities and quite possibly breached several times during the years has also not been discussed.
The fact that search engines, like Shodan and Chinese ZoomEye, have indexed the server and therefore have had access to the data has not been mentioned in the media. 2.7
On March 1, the minister for Health and Social Affairs, Lena Hallengren, reported that
the risk is over, and everyone can now safely call 1177 again!
From what is publicly known about the 1177 case, we can identify failures in all three of the cybersecurity domains outlined in Section 1: Informal, Formal and Technical. The domains are enumerated and exemplified below 3.1
Examples of failures linked to the informal domain of human behavior: i. Awareness: Someone at “Noise Integrate” connected the Network Attached
Storage device to the Internet ii. Culture: Someone at “Noise Integrate” excluded the NAS from intrusion monitoring and checklists as it was deemed too basic iii. Arrogance: The CEO of “Noise Integrate” believed only highly skilled hackers could find the server’s open port 3.2
Examples of failures linked to the formal domain of regulating human behavior: i. Governance: “Noise Integrate” did not have management systems that prevented the storage unit to be attached to the internet ii. Procurement: The Regions did not perform security audits at the subcontractors as part of the procurement procedure iii. Legal Compliance: “Noise Integrate” did not comply with the GDPR, for example the Privacy by Design requirement 3.3
Examples of failures linked to the technical domain of technical artefacts: i. Security set-up: The entire architecture at “Noise Integrate” ii. Patching: The server had several known vulnerabilities and not updated in 5 years iii. Configuration: The server had DNS entries 4
It is our position that this socio-technical cybersecurity model is valuable before, during and after an incident.
Before By considering informal, formal and technical domains equally when designing controls for cybersecurity.
During By identifying in what domain(s) the incident is occurring to provide the most appropriate incident response.
After By performing post mortems where the informal, formal and technical domains are analyzed to provide thorough lessons learned on how the different domains facilitated the incident and improve cybersecurity.
There are different roads ahead for future research. One natural extension of this position paper would be to contextualize previous research in the area of socio-technical cybersecurity and to look at several cases where cybersecurity failed and see if repetitive patterns could be identified. Another part could be to look at to what extent organizations consider all three domains for a balanced socio-technical cybersecurity approach in their control design.
The Technical and Formal domains are well researched compared to the Informal domain. In a wider perspective, it would be beneficial to take an interdisciplinary view on Informal cybersecurity to identify models to understand, predict and change human cybersecurity behavior.
Acknowledgements. The authors would like to thank participant