Security flaws in health apps, APIs potentially put millions of patient records at risk, report finds

Third-party apps and aggregators that pull data from electronic health record systems may be vulnerable to hacks, putting millions of patient and clinician records at risk, a new report found.

In research published by cybersecurity company Approov, cybersecurity analyst and “recovering hacker” Alissa Knight tested the vulnerability of three production application program interfaces, communication channels that link a mobile app to the server containing EHR data. The APIs use the Fast Healthcare Interoperability Resources (FHIR) standard for healthcare data, containing aggregated data from more than 25,000 providers and payers.

With a single patient login account, Knight was able to access more than 4 million patient and clinician records.

Of the three APIs tested, which serve a network of 48 mobile apps and APIs, all of them allowed Knight to access health data from other patients by using one patient’s login. More than half (53%) of the mobile apps tested had hardcoded API keys and tokens that would enable hackers to attack the APIs.

Further, half of the data aggregators failed to segment their databases, providing Knight access to patient records from other apps on their platform, according to the report.

RELATED: 2020 offered a 'perfect storm' for cybercriminals with ransomware attacks costing the industry $21B

Knight didn’t use complicated hacking techniques, either. In a live stream on Knight’s YouTube channel, John Moehrke, co-chair of the HL7 security work group and member of the FHIR management group, called her methods “kindergarten cybersecurity.”

“She has a PhD for crying out loud, and she only had to be able to say her ABC’s,” Moehrke said during the live stream.

The report immediately faced backlash online, with much of the criticism centering on the importance of the FHIR standard. However, “the vulnerabilities were in the implementation, not the FHIR standard itself,” Knight wrote in the report.

“There were no vulnerabilities found in the EHR companies themselves,” said Knight, discussing the report during the same YouTube livestream. “These issues were found because of a lack of harmony and secure co-development with the integrators and the app developers. That is an important distinction here.”

RELATED: FTC warns health apps must notify users about data breaches or face fines

Aggregators can be important tools for providers, researchers and payers, as they allow the patient to see multiple providers while giving each specialist access to that patient’s full medical history. But the APIs that the aggregators use to connect with EHR systems are more vulnerable to cyberattacks, the report said.

“It is alarming how sensitive patient data moves from higher security levels to third-party aggregators where security has been found to be flagrantly lacking,” Knight wrote in the report.

In a 2019 report by Gartner, researchers predicted that APIs will be the most common attack vectors for application breaches by 2022.

Approov and Knight also released a report in February that revealed similar concerns. In that research, Knight attempted to hack into 30 mobile health apps, all of which she found to be vulnerable to API attacks. In total, 23 million mobile health users were vulnerable as a result, she wrote in the report.

Knight’s newest report recommends major changes to address “last mile” security gaps, which include requiring app developers and aggregators to follow best practices with patient data and monitoring by EHR providers of data accessed through APIs. She also called for federal regulators, namely, the Office of the National Coordinator for Health Information Technology, to require EHR access through FHIR APIs to be fully secure at every step.

Approov also introduced its FHIR Guard on Friday, a security service to prevent bots, scripts and compromised apps from accessing or manipulating EHRs.

“Healthcare organizations and regulators who handle and oversee this sensitive data must give equal attention to security enforcement as they do to empowering citizens to take control of their patient data,” said David Stewart, CEO of Approov, in a statement. “With this research we don’t just want to raise a red flag. The introduction of FHIR Guard is a genuine effort by Approov to contribute positively towards improving the situation today, ahead of regulations which will surely follow in time.”