Hospitals and health care systems have become a major target for hackers during the Covid-19 pandemic and a new report has claimed that third-party apps that pull patient data from electronic health record (EHR) systems are vulnerable to hacking.
The researchers at app security company Approov were able to access over 4 million patient and clinician records from over 25,000 providers through third-party apps that link up with hospital health records to pull out data.
“Cybersecurity analyst Alissa Knight got access to more than 4 million patient and clinician records by exploiting vulnerabilities in data aggregators’ application programming interfaces, along with associated apps that track medications and share patient records,” reports STAT News.
The records included demographics, lab results, medications, procedures, allergies, and more.
“Collectively, the tested tools can read and write data to the major EHR systems,” the report said on Monday.
Knight checked for vulnerabilities in apps built using the Fast Healthcare Interoperability Resources (FHIR) standard.
“She didn’t need to use advanced cybersecurity hacking. She just used basic stuff that your freshman year of cybersecurity would have stressed,” said John Moehrke, member of the FHIR management group.
The electronic health records housed at hospitals and health centres are well protected.
“But as soon as a patient gives permission for their data to leave the health record and head toward a third-party app – like programmes that track people’s medications, for example – it’s easy for hackers to access,” The Verge reported.
The hacking attempts on the healthcare industry began to rise last year during the pandemic.
In 2020, 1 million people were affected almost every month by data breaches at healthcare organisations, according to health and human services (HHS) data.
Nation-state-backed hackers are also trying to infiltrate healthcare systems and steal vaccine-related research and other information, according to warnings from intelligence agencies in the US, Europe and Canada.
Four years ago, the UK’s National Health Service (NHS) suddenly found itself one of the most high-profile victims of a global WannaCry ransomware attack.