A new report published by Approov uncovered major cybersecurity flaws in third-party health apps that populate patient data from electronic health record systems. Through research conducted by cybersecurity analyst Alissa Knight, it was found that the health data security of many of these apps are flawed, putting the patients that use them at risk.
Report Uncovers Major Vulnerabilities
The Fast Healthcare Interoperability Resources (FHIR) Specification provides resources defining the information contents and structure to set a standard for exchanging healthcare information electronically. These resources are often used to develop third-party health apps. Alissa Knight assessed the health data security of apps built using this standard, identifying vulnerabilities in the software. While Knight did not uncover any vulnerabilities within the electronic health records apps themselves, she did find major weaknesses in the third-party apps they link with.
Through her research, Knight was able to gain unauthorized access to the protected health information (PHI) of more than 4 million patients. Knight stated, “The findings in this report will show that of the 5 FHIR APIs I tested (two of which were EHR vendors with no vulnerabilities) – an ecosystem of 48 FHIR apps with aggregated EHR data from over 25,000 healthcare providers and payers – contained pervasive server-side authentication and authorization vulnerabilities that allowed me to access over 4 million patient and clinician records with my own patient login.”
While these third-party apps facilitate health information sharing, once the health data is transmitted from the EHR platform to the third-party app, the data is no longer subjected to HIPAA health data security standards. The Federal Trade Commission (FTC) recently noted that the apps are required to notify users about breaches affecting their data, but there are no HIPAA privacy or security requirements imposed on them.
According to John Moehrke, an interoperability expert and member of the FHIR management group, “She didn’t need to use advanced cybersecurity hacking. She just used basic stuff that your freshman year of cybersecurity would have stressed.”
The report recommended that regulators:
- Ensure the Information Blocking Rules allow service-providers and EHR vendors to assess the security of the apps and APIs of the aggregators and application developers who connect to their APIs through regular penetration testing and a review of their security controls.
- Clarify that the Security Exception to the Information Blocking Rule allows EHR vendors to require specific controls be implemented by any system that connects to their APIs.
- Reinforce the security guidelines, specifically with requirements around tokens and scopes (which are currently recommendations) to ensure that all organizations who transmit, process, and store EHR data are properly securing their implementation of FHIR.
- Mandate that certificate pinning should be implemented on all SMART on FHIR mobile apps.
- Mandate that shielding solutions must be deployed to ensure that only legitimate applications and users can communicate with APIs to prevent EHR data leakage via synthetic traffic generated by tools, scripts and bots.
Using Secure Health Data Apps
While health data apps used by patients are not required to be HIPAA compliant, there are many apps that provide adequate security protections to prevent breaches. HIPAA compliant health data apps implement encryption, multifactor authentication, access controls, and audit controls to facilitate health data security. To ensure health data security, healthcare providers should advise patients against using apps that lack adequate security safeguards to protect their sensitive information.
