As healthcare providers continue to embrace technology, are patients being left vulnerable? If a recent incident at a Frisco, TX-based healthcare services company, True Health Diagnostics is any indication, then the answer is a resounding “yes.”
PHI Exposed Through Web-Based Application
True Health is a privately held healthcare services company specializing in comprehensive testing for early detection of a wide range of diseases and genetic abnormalities. As part of their services, True Health offers a web based portal so patients may view their test information and results quickly. Prior to viewing test results, patients are required to register before logging into the portal. Not outside the “norm” for medical practices, patient portals can streamline follow up procedures for patients and physicians alike. However, a recent flaw in the True Health portal allowed patients to not only access their own test results, but also the test results and PHI of other patients.
A few weeks ago, an IT consultant discovered the flaw after logging into the portal and found not only where his individual test results were showing (in PDF form), but also test results of other patients. True Health acted quickly and the issue was identified. By using sequential numbers on their PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing). Additionally, it was determined that True Health had been using this numbering system for previous years test results so it is possible patient records could have been exposed for a few years.
Following the identification of the issue, the web portal was immediately taken offline and fixed. In the event the ongoing investigation discloses that additional patient health information was accessed, those patients will be notified. True Health was quite fortunate being that the incident was identified and rapid action was taken so no further damage was done. The portal is now back online and running smoothly.
Compromise Assessment: Due-Diligence Task
The recent events should serve as both a reminder and a warning to healthcare organizations using patient portals that in order to prevent a similar disclosure, implementing (and testing!) safeguards is necessary. One way to do this is by performing a compromise assessment.
A compromise assessment is a due-diligence task used to verify security and confirm that an organization has not experienced a security breach. A compromise assessment essentially answers to the question, “Have we been breached?” Completed by a group of whitehat hackers or IS professionals, the goal is to access an organization’s various systems and verify if/when they were comprised and estimate the damage/exposure that has/could be done on their customer’s data. By gaining an understanding of the extent of the breach, the organization can in turn create a plan to remedy the issue and notify the appropriate parties of the disclosure.
Penetration Testing: Proactive Approach
In simple terms, conducting a penetration test is a proactive approach to finding any security deficiencies before a breach occurs or hackers find a way in. Instead of asking, “Have we been breached?” a penetration test provides an answer to the question “How secure are we?” Although penetration testing alone will not ensure a network is compliant or secure, it will identify gaps between the existence threats and controls that an organization has in place.
Penetration testing has many other benefits, including:
- Reveals where procedures may be failing – Especially if insecure services are being used for administration or if critical security patches are missing due to inadequate configuration and change management processes/procedures.
- Exposes poor password policy – Including the use of default or weak passwords, password reuse and use of incremental passwords.
- Justification to management – For approval of additional security technologies. For example, showing upper management that penetration testers were able to hack into the system and email the entire customer database.
- Acts as a “second set of eyes” – Critical if using an independent provider when hosting ePHI/PII.
Partnership with TwelveSec
At HIPAA One we offer a host of assurance services through our trusted partner, TwelveSec. TwelveSec is an information security firm specializing in assurance, security management and information security training services. By working together, our service includes a penetration test performed by an international team of testers and security experts who simulate attacks from an outside and unauthenticated user-account perspective, including participants and administrators. To learn more about our offerings and services, visit our Penetration Testing page.