The data that leaves patients’ medical records becomes less protected, is vulnerable and therefore more prone to hacker attacks. This is the extreme synthesis of a new report on health applications for third parties.
Electronic health records, housed in health centers and subject to the federal privacy law HIPAA, are well protected, although for sure when there are cybercriminals around there is nothing. The problem, however, arises when the patient gives the ok to release their data, thus consenting to third-party applications, such as programs that track people’s medications. That’s where security is lost, where hackers can most easily attack and hit.
Hospitals and health systems are one sensitive target for cybercriminals, as confirmed by the increase in attacks on the sector in the last period. The information is very valuable, every stolen record could translate into hundreds of dollars on the dark web, much more than credit card numbers, which can be easily changed compared to an almost acclaimed objective of a patient’s data, not easily tampered with.
How to raise the bar. “There must be a separate supervisory mechanism for the protection of patient data”
The alarm, therefore, is raised. Directly from the security company of the Approov apps. Cyber security analyst Alissa Knight has, in fact, verified and proven the presence of vulnerabilities in apps created using the Fast Healthcare Interoperability Resources (FHIR) standard, created to encourage the exchange of information in the healthcare sector.
Knight it started its work by checking apps built within the electronic health records themselves: no weak points there, or seriously worrying. The problem arose when he tested third-party programs that connect to medical records to extract data: there the big problems.
In fact, Dr. Knight was able to access further 4 million patient and medical records from over 25,000 vendors, leveraging those vulnerabilities. “He didn’t even need to use advanced cybersecurity hacking,” reveals John Moehrke, interoperability expert and member of the FHIR management team. “He used some basic concepts – he explains – that even a beginner in the first year of IT security would have been able to do”.
READ ALSO >>> Do you want to hire a Hacker? Research tells you how much it would cost you
“There needs to be more care and security in these apps.” Alissa Knight is categorical in the report: once the data leaves a medical record and enters a third-party application, it is not covered by HIPAA, so it is not subject to HIPAA standards on data protection or how people should be. inform in case of access to their data.
READ ALSO >>> Instagram, there is a fact that worries the platform more and more
The Federal Trade Commission recently made it clear that third-party apps must notify users of data breaches, but the commission cannot add additional privacy policies or security for those apps. But something needs to be done: “There must be a separate supervisory mechanism for protecting patient data, and the apps they use.”