Application Security , Incident & Breach Response , Managed Detection & Response (MDR)
Patient Portal Flaw Exposes Lab RecordsIncident a Reminder of Need to Safeguard Web-based Patient Information
A recent patient portal security mishap at a Texas-based cancer testing laboratory is the latest reminder of the need to safeguard sensitive health information on web-based applications and websites.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
True Health Diagnostics, based in Frisco, Texas, recently become aware that patients could potentially access the health records of other patients through a security flaw on the company's patient web portal.
The problem, which was first reported by security blogger Brian Krebs, involved the potential for registered users of the portal to access health data, including lab reports, of other individuals.
Krebs reports that he was tipped off about the problem by an IT consultant in Las Vegas who had been using True Health Diagnostics for his own medical purposes. "To demonstrate the flaw, [the consultant] logged into his account at True Health and right clicked on the PDF file for his latest health report. He showed how the site would readily cough up someone else's detailed health records and blood tests if he modified a single digit in the link attached to that PDF record and then refreshed the page," reports Kreb, who notes that he separately verified the flaw and then notified the company.
A True Health Diagnostics spokesman confirmed the flaw to Information Security Media Group. "Immediately upon being alerted by Krebs, we shut down the portal to look at the vulnerability," the spokesman says. "We patched the program and restored the site for operations. Our CEO has ordered an investigation into what files might have been accessed; the entire thing is being investigated."
As of May 9, True Health did not yet know approximately how many patient records were potentially impacted by the vulnerability or inappropriately accessed, the spokesman says.
The portal software used by True Health Diagnostics "was purchased about five years ago from a consulting company," the spokesman said, noting that he did not know whether the software might also be used by other organizations.
A Common Challenge
Other healthcare entities have faced similar kinds of problems involving unsecure websites or vulnerable web applications.
"It is probably more common than we realize, as many portals may have exposures not yet discovered," says Keith Fricke, principle consultant at tw-Security. "Sometimes the lack of hardening standards and solid change management practices create opportunity for protected health information leakage to creep into an operational portal."
Some previous cases have caught the attention of federal regulators.
"We have seen similar issues as this in other cases, such as the 2013 [Department of Health and Human Services Office for Civil Rights'] settlement with WellPoint," notes privacy attorney Adam Greene of the law firm David Wright Tremaine. In that case, the health insurer agreed to pay federal regulators $1.7 million to settle a HIPAA compliance case stemming from a website data breach that may have exposed information on more than 612,000 individuals.
OCR's investigation into the WellPoint breach focused on security weaknesses in an online insurance application tracker database that left information on hundreds of thousands of individuals temporarily accessible. At the time it revealed the breach, WellPoint indicated that the incident was caused by a temporary security lapse for the application tracker program during a system upgrade by a third-party vendor. The incident also resulted in a number of lawsuits.
"The problem is often that software developers focus on performance and usability, without always identifying and correcting potential software vulnerabilities," Greene notes.
And in 2012, OCR signed a $100,000 settlement with Phoenix Cardiac Surgery P.C., following a report that the Arizona practice was posting clinical and surgical appointments for its patients on an internet-based calendar that was publicly accessible.
So, will OCR potentially scrutinize the True Health Diagnostics incident in the same critical light as the Wellpoint and Phoenix Cardiac cases? "It is always hard to predict in which cases OCR will pursue financial settlements or penalties," Greene notes. "OCR recognizes that breaches happen and will often focus on underlying root causes - such as whether a risk analysis was in place - and the extent of corrective action after the breach."
Steps to Take
Covered entities and business associates should take action to help prevent mishaps involving unsecured portals, websites and web applications.
Greene suggests, for example, that they "should consider penetration testing of any external interfaces and, when purchasing public-facing software solutions from third parties, consider diligence on what level of testing they have performed on their interfaces."
Privacy attorney Kirk Narha of law firm Wiley Rein notes: "Assuming that these allegations [in the True Health Diagnostic incident] are accurate, this is a disappointing but common failure to practice decent security on internet platforms. Companies should not use these formats at all unless they have competent and sophisticated people designing their security. I have seen too many cases where it is too easy even for people without technical backgrounds to get through security controls."
Organizations sometimes put themselves at risk "by trading off implementing sound security practices in favor of meeting deadlines," Fricke notes. "Some of those timelines may not have been realistic to begin with. Consequently, securing internet-facing systems is not baked into the implementation plan to the extent it should be. Also, covered entities should draft a list of security requirements it expects of a portal-hosting BA and get some assurances those requirements are being met.
Nahra advises organizations to examine all OCR's HIPAA settlements "and make sure your company is addressing the failures that OCR found in someone else. It's always worse to be the 'next' company."