Insecurities in Healthcare Applications

balaji
By balaji

December 27, 2006

Online Healthcare applications come under the radar of HIPAA. In this article we discuss the threats they are exposed to, the attacks we've seen work against them and the precautions to take.

Online Healthcare applications come under the radar of HIPAA. In this article we discuss the threats they are exposed to, the attacks we've seen work against them and the precautions to take.

Common Threats to Healthcare applications

Healthcare apps keep sensitive medical records of patients. Though different types of healthcare applications are exposed to different sets of threats, there's a pattern to threats they face. Let's take three applications to illustrate the threats they face.

Electronic Prescription Management Systems enable patients to request refills online, route the request to physicians, let physicians access medical history online, and prescribe refills. Here're some of the threats such systems are exposed to:

An adversary...

  • ...views the medical history of all patients
  • ...modifies the dosage/drug in a prescription after the physician has signed it
  • ...deletes requests for refills from patients
  • ...adds fake medical records for a patient
  • ...signs a prescription on behalf of a physician
  • ...denies access to all physicians and patients
  • ...modifies the address of the pharmacy a prescription should be routed to
  • ...change the status of refill requests without authorization

Web-enabled MIS for Medical Laboratories provides an online front end to collect and retrieve data about the patients, tests provided by the Medical Labs. Here're some of the threats such systems are exposed to:

An adversary...

  • ...views medical records he is not authorized to see
  • ...modifies medical records of patients belonging to different service providers
  • ...creates duplicate entries corresponding to a HICNUM or SSN
  • ...adds patient under a provider without authorizations
  • ...denies access to all users
  • ...modifies the Medicare coverage periods of users

Online Healthcare Insurance applications provide a convenient web front end to users. For instance, they let patients login and view the status of their insurance claims. The threats these sites are exposed to are similar to the previous applications too:

An adversary...

  • ...views insurance claims of other users
  • ...modifies/deletes insurance claims of others
  • ...views medical records he is not authorized to see
  • ...falsely changes the status of a claim to "approved"
  • ...changes the terms of the plan

Popular exploits that work

What are the popular exploits that we see work against Healthcare applications? During the last 6 years we have seen different types of attacks succeed, some more frequently than others. Anecdotal evidence (and not formal research) suggest these are 3 attacks Healthcare applications should be wary of:

  1. Variable manipulation attacks : These attacks are at times useful to gain access to medical records of other users, modify prescriptions, and escalate privilege levels.
  2. SQL Injection : This well known attack is a staple in a black hat's armor. They are useful to bypass login, gain high privileges and deny access to other users.
  3. Stealing data from Browser cache : This is a simple local attack where an adversary who has access to the victim's machine can steal sensitive medical info from the browser cache.

Best Practices in Securing Healthcare applications

In a nutshell, here're the good practices for securing healthcare applications.

  1. Identify threats on day one, design for security
  2. Train the developers in security
  3. Enforce secure coding guidelines
  4. Test the application for security
  5. Document a secure deployment plan

Tags: Technical

About

balaji

SUBSCRIBE TO OUR BLOG

Buyers-Guide-Collateral

WHITEPAPER

Buyer’s Guide to Managed Detection and Response

Download
MDR

Get AI Powered

Managed Detection and Response

MDR-learmore-btn

 

MDR-Guide-Collateral

REPORT

AI-Driven Managed Detection and Response

Download Report
Episode

EPISODE-25

Red-LineAsset-6

Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset