Hospitals and health care systems have become a major target for hackers during the Covid-19 pandemic. A new report has claimed that third-party apps that pull patient data from electronic health record (EHR) systems are vulnerable to hacking.
The researchers at app security company Approov were able to access over 4 million patient and clinician records from over 25,000 providers through third-party apps that link up with hospital health records to pull out data.
Cybersecurity analyst Alissa Knight got access to more than 4 million patient and clinician records by exploiting vulnerabilities in data aggregators’ application programming interfaces, along with associated apps that track medications and share patient records, – reports STAT News.
The records included demographics, lab results, medications, procedures, allergies, and more.
“Collectively, the tested tools can read and write data to the major EHR systems,” the report said on Monday.
Knight checked for vulnerabilities in apps built using the Fast Healthcare Interoperability Resources (FHIR) standard.
“She didn’t need to use advanced cybersecurity hacking. She just used basic stuff that your freshman year of cybersecurity would have stressed,” said John Moehrke, a member of the FHIR management group.
The electronic health records housed at hospitals and health centers are well protected.
“But as soon as a patient gives permission for their data to leave the health record and head toward a third-party app – like programs that track people’s medications, for example – it’s easy for hackers to access,” The Verge reported.
The hacking attempts on the healthcare industry began to rise last year during the pandemic.
In 2020, 1 million people were affected almost every month by data breaches at healthcare organizations, according to health and human services (HHS) data.
According to warnings from intelligence agencies in the US, Europe, and Canada, nation-state-backed hackers are also trying to infiltrate healthcare systems and steal vaccine-related research and other information.
Four years ago, the UK’s National Health Service (NHS) suddenly found itself one of the most high-profile victims of a global WannaCry ransomware attack.