Hacking Healthcare Through APIs
Episode 3825th February 2021 • This Week Health: Newsroom • This Week Health
00:00:00 00:07:56

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Today in Health it, the story is Hacking Healthcare through APIs. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping health IT staff current. I. And engaged. We have no sponsor for today's show, so I'm going to take a few seconds to tease you about what we have coming.

We have something really exciting happening here at this week in health it. I can't wait to tell you about it, but I'm supposed to wait one more week. We've had conversations, ask the questions, and we feel it's finally time for us to take the next step. I'm looking forward to sharing it with you, but until then, I just wanted to thank you for your continued support of the show.

Thank you for listening and joining with us in our journey. Of raising up the next generation of health leaders by amplifying great thinking to propel healthcare forward. Alright onto today's story. Mobile health apps leak sensitive data through APIs. A report finds, this is in fierce healthcare. I'm really enjoying the, the reporting in fierce healthcare these days.

I'm finding a lot of really good articles, so just wanted to share that. I'm gonna go right into the article. I'm just gonna. Read a bunch of this and then come back to the so what? So recovering hacker, Alyssa Knight calls personal health information, the most valuable data on the dark web, and we've covered that before on the show.

It's about 10 times more valuable as she goes on to say, Knight partnered with mobile security company. Approve A-P-P-R-O-O-V, and it always cracks me up the names that these companies come up with anyway, to hack 30 mobile health apps to highlight the threats they face through application programming, interfaces, otherwise known as APIs.

The findings were published in a recent report. All that we led in. Okay, so you know where the story's going. All of the apps were found to be vulnerable to API attacks and some allowed access to electronic health records. The 30 apps collectively exposed 23 million mobile health users to attacks.

Actually, that's not a big number if you consider healthcare, but anyway, it exposes the challenge with some of the APIs. Knight reported that of the 30 apps tested, 77% contained hard-coded API keys. Yikes. Of which some do not expire according to the report. And 7% had hard-coded usernames and passwords.

Wow. That's really bad programming. If you ever find that in your programming, find the programmer and figure out how to get 'em to the door or get them educated at at the minimum. And the reason I say that is 'cause that's like the first thing you learn in coding back in high school. Not to hard code, username and passwords into code.

That is, that is such a shortcut that it's egregious. That's the only reason I say that. Uh, Stuart noted that a wide range of mobile health apps that face threats as a, a security company tested apps from large healthcare systems as well as mobile health vendors. It also tested apps that let clinicians log in and manage patient data.

All right, so that's the, the scope of the apps. There are plenty of mobile healthcare apps that may not directly be accessing the patient's medical records, but they're still accessing extremely sensitive information like prescriptions and those kind of things. All right. During her research, Knight hacked into the system of one hospital, changing the values in an EHR by one digit, and then was able to access the health records of the patient's, family members, and other information that the hospital registration desk had captured for a patient, Knight used a hacking tool that looks like it's generating data from the mobile health app.

And she goes on to talk about that. That's interesting. So the traffic looks exactly the same as traffic that's coming in from the actual mobile app, and that gives the hackers so much more flexibility about the things that they can do. In addition, Knight found that a hundred percent of the API endpoints were susceptible to broken object level authorization.

Ebola attacks the O-W-A-S-P Foundation. Which organizes community-led open source projects listed bola as the top security risk for APIs. Bola attacks enable knight. To view personally identifying information and personal health information that were not authorized in the clinician account the researchers used.

In addition, 50% of the APIs tested medical professionals were able to access pathology X-rays and results of other patients. They also go on, it's a good article, they actually go on. They have suggestions, tools, mitigation strategies. You got it? Go ahead and check out the article. Here's my so what on this?

Okay, so the first thing, this is just a, a small education piece for you guys. This is a marketing piece that exposes a pretty real issue. Let's start with how marketing works. We, we do it here as well, so I'm not exposing anything new. I, I just, I'm gonna tell you where the value comes. You, you, you won't read an email from a company that says, Hey, buy my stuff.

Right. We all hate that. They've moved on to writing white papers and you stop downloading those. So these creative folks got in a room and they said, how can we get your attention? And they said, oh, I don't. We'll do something that's newsworthy, something that will be picked up by Fierce Healthcare. And so they came up with this, let's do a white hat event.

Let's hire somebody who can hack into these things. It's a very real issue. It's an issue that has our attention. , right, and hack some mobile records. Collect the data and publish a report. Now you have something of value to you and the world. It's good on them because they've created something that actually has value and you get educated in the process.

Successful marketing adds value to the reader. This isn't bad. This is good. Just see it for what it is. Okay. What is it? It's a well done piece that identifies a real problem that every health system should be concerned about. We're all rushing to digital front doors, online scheduling, telehealth delivered anywhere to our patients.

This is where Covid has brought us, and the patients are saying it's about time, but whenever we move fast, we have to be thoughtful of the holes we are creating. The new attack vectors that may be exposed as we put on what is in some cases a new capability. We need to use caution. Have our developers been vetted?

Do they have the skills and training on cybersecurity? Do we have the tools we need to test our work correctly and should we bring in a partner to help us? You have to ask the questions, will our efforts be convenient for the patients, or will it be convenient at a cost to the patients? One final thought, there are gonna be those who say, see, APIs are bad and we shouldn't be sharing a health record across digital means to them.

ical attention and crashes in:

deaths in cars.:

Alright, that's all for today. If you know of someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com, or wherever you listen to podcasts. Apple, Google, overcast, Spotify, Stitcher. You get the picture. We are everywhere, or at least we're trying to be.

We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. VMware Hillrom, Starbridge Advisors, McAfee and Aruba Networks. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube