Talk to a Security Expert Now: (800) 721-9177

Healthcare Web Applications – The Security Achilles Heel

At Redspin we have a unique view of the security space, given that we are hired to perform security assessments of customer web applications all the time. Our clients want to know if a hacker can access their Electronically Protected Health Records. The answer, sadly, is often yes. Many times it is dreadfully easy. This week we accessed a customer portal chock full of EPHI using the classic ‘or 1=1;– trick (SQL injection). For those not technically inclined, this string is usually entered into the username field. It tricks the application so that instead of checking whether the username and password are valid, it checks to see if the username and password are valid or if 1=1. Since 1=1 is always true, a poorly coded application will log the nefarious hacker in (often as the global administrator or system user).

It’s unfortunate that the healthcare space is subject to these flaws, as most of these applications house thousands of EPHI records. These systems commonly have SSN’s, Credit Card Numbers, addresses, DOB’s, essentially everything a nefarious bad guy would need to steal many identities. In addition many people consider their medical information to be their most private data.

Another example is an advisory we just published on Cross-Site Scripting Vulnerabilities and database access in OpenEMR an open source healthcare records application.

It’s not just the small players either, Anthem Blue Cross recently disclosed that over 200,000 records were potentially breached on their website. Many security problems we see are obvious and with basic effort, an organization can be much more secure. According to the report attorneys looking for information for a class action lawsuit against Anthem were able to gain access to the EPHI. This implies that the breach and the flaw were not complicated and didn’t require world class hacking skills. Given that the California Department of Public Health is starting to dole out fines (Healthcare Breach Fines), it will be interesting to see if they hit Anthem with the maximum fine.

The bottom line: if you have EPHI accessible via your Internet facing web applications, perform your due diligence. At Redspin we always recommend starting with the best practices that the Open Web Application Security Project (OWASP) has outlined in their Top 10 Web Application Vulnerabilities list.

This Post Has One Comment
  1. Application security in the healthcare segment is certainly a significant issue. For healthcare providers that are deploying EMR products it is critical to have a clear understanding of the application security measures that are in place with the EMR vendor of choice. The EMR vendor should be able to clearly articulate the secure SDLC programs that they employ, as well as discuss how they maintain security from release to release.

    It is also common to require customization of the chosen EMR product or service to fit the workflow processes in place at the healthcare provider organization. The deployment team needs to structure a program to ensure application security for the customized instance that is specific to their environment.

    Most organizations are in a rush to deploy EMR products to get their meaningful use incentives. Certainly that is important, but do not overlook the need for rigorous application security along the way.

Leave a Reply

Your email address will not be published. Required fields are marked *