Millions of patient records are left vulnerable on third-party health apps integrated into EHRs, The Verge reported Oct. 18.
For a study, researcher Alissa Knight checked for vulnerabilities in apps built using the Fast Healthcare Interoperability Resources standard.
Four things to know:
- The study found that EHRs were well-protected, but when patients gave permission for their data to be entered into a third-party app, it was easy for hackers to access.
- Ms. Knight said she was able to access more than 4 million patient and clinician records from more than 25,000 providers.
- John Moehrke, a member of the FHIR management group, said Ms. Knight didn't use advanced cybersecurity hacking. "She just used the basic stuff that your freshman year of cybersecurity would have stressed," The Verge reported.
- Unlike data housed by hospitals, once a health record enters a third-party app, it is not covered by HIPAA. The Federal Trade Commission said Sept. 15 that third-party apps have to notify patients of data breaches, but the FTC is unable to add privacy regulations for health apps.