Menu
When weak web security can expose medical records

When weak web security can expose medical records

What happens when a networked system to view and manage medical records has critical weaknesses.

With recent reporting showing the ineffectiveness of breach disclosure laws on the rate and scope of data losses, what sort of teeth will HIPAA and similar laws have when electronic health records are compromised in similar numbers and scope.

One of the biggest concerns for the Information Security professional is the introduction and spread of online health records management and storage. One of the first major projects to enter this field in an effort to tie together existing systems and provide a means for consumers to access their records was Microsoft's HealthVault, released in late 2007. Not to be outdone, Google's own offering, Google Health was released earlier this year, though both programs are marked as 'Beta' (which should be enough to pause and think about entrusting sensitive medical data to).

Ignoring for a minute the difficulties of adequately storing and securing sensitive online medical records, the biggest immediate threat is weakness in the systems used to connect to and manage these records. One such threat was recently discovered and disclosed by Ronald van den Heetkamp, after the service provider concerned, Kryptiq, dismissed the vulnerability reporting sent through by van den Heetkamp. The vulnerability information disclosed so far points to a handful of SQL injection opportunities on the Kryptiq Web site and a problem that will be of more concern for Microsoft's HealthVault.

While the Kryptiq site doesn't explicitly explain that a number of its services are built on using the Internet as the network to shift and manage data, instead calling it "a powerful, secure set of communication tools based on familiar technologies", but the [[xref:http://www.kryptiq.com/assets/marketing/HealthVault_Demo/Kryptiq%20HealthVault%20Demo.htm |demo]] of their Connect IQ portal clearly shows that sensitive patient data is being managed from a Kryptiq subdomain.

It is likely that other providers have similar vulnerabilities and it shows that even if a central store of data is relatively secure (such as a back end database), if the systems connecting to that data store are not secure, it can lead to information loss as if the central data store was not secure.

There is nothing to say at this stage that HealthVault has been compromised, or has other critical weakness, but it might as well be if a compromised third party can extract any data stored within it. With increasing demands to store health records electronically and make them available across networks, this risk is only going to increase in the future and may pose a greater problem than the risk of Identity theft/financial theft. You can always be refunded money or have your credit record corrected, you aren't going to be able to do that with your health records.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments