COVID 19 devastation effects have not been limited to the loss of life. In fact, during the last couple of years, the FBI has been warning healthcare professionals of cybercrime and the increased focus on healthcare organizations and individuals.
Ms. Alissa Knight, a “recovering hacker” and a Knight Ink cybersecurity researcher, commented that personal health information (PHI) is the most valuable data on the dark web. Her actual words referred to PHI as: “It’s 10 times more the price of a credit card for a single PHI record.”
Add to that the initiatives and growth in fields like telemedicine, the requirement to develop application program interfaces (API) to ensure connectivity and sharing of data, the growth in the remote monitoring field, and the efforts to expedite the COVID 19 rollout and you have the elements for a perfect storm. For example, some of the findings identified in a recent research conducted by Ms. Knight and Approov, a mobile security company, included:
- According to Experian, a social security number will cost $1, a credit card up to $110, but full medical records can cost up to $1,000 per record. (Experian, 2017)
- Out of the API endpoints tested, 100% of them were vulnerable to Broken Object Level Authorization (BOLA) attacks leading to unauthorized access to full patient records, downloadable lab results and x-ray images, blood work, allergies, and personally identifiable information (PII) including home addresses, family member data, birthdates, and social security numbers.
- The findings demonstrate that the security standards required for compliance with US government FHIR/SMART standards merely represent a subset of the steps needed to secure mobile apps and the APIs which enable apps to retrieve data and interoperate with data resources and other applications.
- 27% of the mobile apps tested were not secured against reverse engineering through code obfuscation.
- 77% of the mobile apps tested contained hard-coded API keys, tokens, private keys, and hard-coded usernames and passwords.
- If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.
- 50% of the APIs tested allowed Ms. Knight access admissions records for patients being admitted into the hospital as inpatients that she should not have been able to access with her level of authorization.
- 100% of the APIs tested were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities.
- BOLA vulnerabilities in 100% of the APIs tested allowed Ms. Knight to view the personally identifiable information (PII) and protected healthcare information (PHI) for patients that were not assigned to her clinician account.
The information and vulnerabilities exposed are overwhelming, yet the answer is simple: “A journey of a thousand miles begins with a single step”. I believe that the first step should be based on the Standards established by HIPAA Security. Yet, remember not to be complacent as this is only the first step and a lot more will need to happen to protect our infrastructure and data.