Hospitals may have their cybersecurity game up to snuff, but that doesn't mean the third party companies many health systems do business with for payment processing and various other necessary interactions are equally committed to minimizing vulnerabilities and protecting patient information.
In a recent post on his own website, developer Randy Westergren details a close-to-home incident, in which he investigated a suspicious looking link his wife received in an email following a hospital visit. After some digging, Mr. Westergren found the link again, on Newark, Del.-based Christiana Care Health System's website where it guides patients to a portal that can be used for electronic billing and paperwork.
While navigating through the portal, Mr. Westergren looked at the code and found a number of vulnerabilities that could be used to exploit patient data. Essentially, by plugging different users' information, such as login names, into the code, he could access their accounts without their permission.
Mr. Westergren reached out to BYL Companies, the third party firm responsible for the hospital's payment processing, who assured him they fixed the vulnerabilities he identified and maintain they use a web application firewall and work with a security company that regularly performs penetration testing.
"Of course, a web application firewall is great to have in place, but it won't protect you from mistakes in business logic or authorization," Mr. Westergren wrote. "Further concerning is the fact that they are already utilizing security firms, as worthless as they might be. Again, the vulnerabilities I reported above would have unequivocally been caught by even the most rudimentary pen test. After expressing further concerns, I later received a very generic response indicating that they had 'addressed' all of my concerns. I asked for more specific details but never received a response."
He also points out the tendency of such companies to create a false sense of security for users by putting certification seals of approval on the site, which for many such companies, likely do not come close to addressing the privacy and information security of organizations that work with them.
Read Mr. Westergren's full account here.