Health apps vulnerable to hacking through APIs

New research showing third-party apps integrating with electronic health record (EHR) systems are vulnerable to hacking comes as no surprise to a New Zealand cybersecurity specialist who says the local situation is likely “even worse”.

Cybersecurity company Approov had an analyst and ‘recovering hacker’ test the vulnerability of three production application program interfaces (APIs), that allow a mobile app to pull data from EHRs in the US.

With a single patient login account, the analyst was able to access more than 4 million patient and clinician records and more than half of the mobile apps tested had hardcoded API keys and tokens that would enable hackers to attack the APIs.  The APIs tested use the Fast Healthcare Interoperability Resources (FHIR) standard for healthcare data.

Chief executive of local managed security provider Medical IT Advisors, Faustin Roman, says the FHIR standard is great, but like any other standard or policy, the key is how it is being implemented and maintained.

Medical IT Advisors has a penetration testing service, Pentest.NZ, and their experience suggests that the situation in New Zealand is even worse than what the report shows about the US.

He says while Kiwi developers and providers are well intentioned, cybersecurity is often not their key priority when developing applications, as they tend to focus on ease of access and use. 


“Too often security by design and privacy by design are afterthoughts when developing a product,” he says.

He believes this is mostly due to a lack of understanding of threats and overall trusting culture and relaxed regulatory environment.

“We have been testing applications and we are seeing time and again really basic controls that are failing the OWASP Top Ten and we have dealt with several incidents that could have been avoided if these basics were in place,” says Roman.

He says everyone has different reasons why they relax security controls, such as removing the need for multifactor authentication (MFA) because that extra step in the process is stopping busy clinicians from using an application.

“A typical example is with MFA that is a really strong security control, but doctors and patients are busy and not many people can be bothered with having that extra step in the workflow, so we have to find the right balance,” he says.

“There’s a role for the Ministry of Health for regulation and standards adoption, but all other data custodians, suppliers, hosting providers, IT providers and even consumers need to take ownership and work together on this since cybersecurity is a shared responsibility.”

Chair of HL7 New Zealand Peter Jordan says the report was quite shocking and clearly highlighted security vulnerabilities in relation to any web API, rather than specific to FHIR-based APIs.

Jordan says FHIR is a well-tested health information exchange standard. There were no faults found with the FHIR standard or FHIR-based APIs in the electronic health record systems that were tested, showing the issue is about implementation.

“It calls attention to a systematic failure by integrators and aggregators and could happen with any API,” he says.

As New Zealand’s health sector moves towards building all web APIs with FHIR, the report is a “good wake-up call” to ensure APIs are implemented securely here.

“Ensuring security is a necessary prerequisite to advancing interoperability via FHIR APIs as there must be trust that the APIs are secure,” says Jordan.


Follow us on LinkedIn and Twitter.

Contact us