Simple security flaws in third party apps leave patient data at risk

Since the start of the Covid-19 pandemic, cyber attacks on hospitals have risen exponentially, shining a light on the need to protect patients' medical data. As it turns out, hackers have no need to directly attack providers in order to get valuable information. A new cyber security report suggests that it’s remarkably easy for threat actors to steal information through third party apps that pull patient data from electronic health record systems.  

Researchers at the app security company Approov were able to access over four million patient and clinician records from over twenty-five thousand providers through third party apps that link with hospital records to pull data. The records obtained included medications, procedures, allergies and more. 

Researchers checked for vulnerabilities in apps built using the Fast Healthcare Interoperability Resources (FHIR) standard. The FHIR is a standard describing data formats and programming interface for exchanging medical records. It was discovered that the hacking process wasn’t complex but in fact basic and something that would have been learnt in a first year cyber security class. 

Medical records stored in hospitals and health centres are well protected however as soon as a patient gives permission for their data to be transferred through a third party app, it becomes an easy target for a hacker to go for. 

Hacking attempts on the healthcare sector began to rise due to the pandemic. Last year one million people were affected every month due to data breaches at healthcare facilities. 

According to warnings from intelligence agencies in Europe, the U.S. and Canada nation state hackers have also been attempting to infiltrate healthcare systems in order to steal vaccine related information. 

It’s once again been made clear that the current health crisis has made it easier for threat actors to profit off of others misfortune.  

Preventing attacks on critical data before they have the chance to cause irreparable damage is key; however it is not always possible. The best course of action for these third party apps should have really been, right from the start of development, fixing the basic security flaws and then working through the more complex problems. Once done they should have been trialled and tested to find any gaps left in the security until it became more and more difficult for hackers to access the data being shared using the applications.  

Thanks to technology, life is much easier for us, information is at our fingertips and it’s much more practical when we need something. However sometimes there's still something to be said for old fashioned paper records.