Security Breach Highlights Need for Patient Portals to be Pen Tested
A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information.
The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics.
The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal.
However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website flaw was discovered by a Las Vegas IT consultant called Troy Mursch, who alerted Brian Krebs to the vulnerability last week.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Mursch discovered that after logging into the patient porta, he was able to access health records and medical test results of other patients. Mursch accessed his own test results, which were uploaded to the portal in PDF form but, by changing a digit in the URL, was able to view the medical information of other patients.
True Health Diagnostics used sequential numbers on their PDF files, which makes it easy for the URL to be altered and for other patients records to be viewed via a web browser. While the portal required users to be logged in to view test results, there appear to have been no controls in place to prevent a logged in user from accessing the records of other patients.
Krebs alerted True Health Diagnostics to the flaw and the web portal was immediately taken offline while the issue was resolved. The issue has now been fixed and the portal is now back online. An investigation has now been launched to determine whether any patient health information was accessed by unauthorized individuals. Should that be the case, patients will be notified.
In this case, the incident was identified and reported quickly, allowing rapid action to be taken to secure the records. However, Mursch noted that his test results from two years ago also appeared to have been numbered in the same manner, suggesting patient records could have been exposed for a number of years.
This incident should serve as a warning to covered entities that have implemented patient portals to ensure appropriate safeguards have been implemented to prevent unauthorized disclosures of PHI. Any web-based interface should be thoroughly checked, using penetration tests, to determine whether vulnerabilities exist. If a solution is purchased from a third party firm, a covered entity should determine the extent to which the system has been tested and should also consider verifying no vulnerabilities exist by conducting penetration tests.
OCR has taken action against covered entities in the past for the failure to secure PHI accessible via web-based interfaces, including a $1.7 million settlement with WellPoint and a $100,000 settlement with Phoenix Cardiac Surgery.
