Third-party health apps that pull patient data from electronic health record systems are vulnerable to hacks, according to a new report. The electronic health records themselves, which are housed at health centers and subject to the federal privacy law HIPAA, are well protected. But as soon as a patient gives permission for their data to leave the health record and head toward a third-party app — like programs that track people’s medications, for example — it’s easy for hackers to access.
Hospitals and health care systems are a major target for hackers, and attacks have only escalated over the past few years. Patient health data is some of the most valuable information to hackers: each record can be worth hundreds of dollars on the dark web, in part because they can’t be changed easily and it’s harder to detect when the data is used fraudulently. Credit card numbers, on the other hand, can easily be changed and are only worth a few dollars.
For this new report sponsored by app security company Approov, cybersecurity analyst Alissa Knight checked for vulnerabilities in apps built using the Fast Healthcare Interoperability Resources (FHIR) standard, which was set up to encourage information exchange in healthcare. She started by checking apps built within the electronic health records themselves and didn’t find weaknesses. But when she tested third-party programs that link up with health records to pull out data, she found major problems. Knight was able to access over 4 million patient and clinician records from over 25,000 providers through those holes.
“She didn’t need to use advanced cybersecurity hacking,” John Moehrke, an interoperability expert and member of the FHIR management group, told STAT News. “She just used basic stuff that your freshman year of cybersecurity would have stressed.”
Third-party applications and data aggregators are important for healthcare — they help doctors and patients by pulling health records into more accessible formats, or they aggregate information from different appointments into one place. The Department of Health and Human Services has rules that encourage health systems to make sure they can talk to each other electronically — it’s important to help give people access to their own health information and to help doctors coordinate care.
But there needs to be more care and security around those applications, Knight wrote in the report. Once data leaves a health record and enters a third-party application, it isn’t covered by HIPAA, so it isn’t subject to HIPAA’s standards around data protection or on how people should be notified if their data is accessed. The Federal Trade Commission recently clarified that the third-party apps do have to notify users about data breaches, but the commission can’t add on additional privacy or security regulations for those apps.
“There needs to be some separate oversight mechanism to protect patients and the apps that they use,” the new report recommended.