Researcher: Two India Hospitals Leaking Patient InformationAvinash Jain: Vulnerabilities Have Not Yet Been Fixed
Security vulnerabilities at two major private hospitals in India have led to the leaking of personal data on millions of patients, says security researcher Avinash Jain, lead infrastructure security engineer at Grofers, who says he’s not revealing the names of the hospitals because the leaks have not yet been fixed.
Previously, Jain has identified vulnerabilities in Indian government websites, including Indian Railway Catering and Tourism Corp.
Jain, who also works as a part-time bug bounty hunter, keeps checking for vulnerabilities in many government and other websites.
“I happened to test the user profile page in the first hospital and find a parameter was linked to user's details. And when I changed the ID to some other user's, I was able to fetch other user data.” Jain tells Information Security Media Group. "In the other hospital, there was a parameter where there was a SQL injection which allowed to access the database."
Jain says that immediately after he identified the vulnerabilities, he tried reach the two hospitals. “I mailed them multiple times, tried reaching out to the doctors, staff, co-founders," he says. "I also took the help of Twitter by dropping them DMs, but couldn't get any reply from them. The only reason I do not want their names to be published is because the hospitals haven’t fixed the vulnerabilities yet. Any hacker with malicious intention can carry serious damage to the companies' reputation and their business by publicly leaking the data and directly impacting user's privacy and security.”
One of the hospitals is leaking a complete database that includes patient information as well as medical reports, Jain says. It has endpoints that are vulnerable to SQL injections, he notes. “The parameter in the endpoints of the website was vulnerable to SQL injection. This vulnerability allows an attacker to extract information from the public and secure schema,” Jain says.
The other hospital is exposing more limited data on patients, including name, address, age and email ID, Jain says. That’s a result of an Insecure Direct Object References, or IDOR, vulnerability, where just changing a parameter or ID linked to a specific user could provide access to the data of other users, he says.
“Since there was no rate limiting, authorization and firewall, any attacker can see all the user details by just running a script and get the details in no time,” Jain says.
Jain says vulnerabilities to SQL injection attacks can be addressed by using a “prepared statement” to sanitize the input. These precompiled SQL statements can be executed multiple times without having to recompile for every execution.
“Use prepared statements, parameterized queries or stored procedures whenever possible,” Jain recommends. “But don't forget that while stored procedures prevent some types of SQL injection attacks, they fail to protect against many others, so don't rely exclusively on their use for your security.”
The best way to address an IDOR vulnerability, Jain says, is with an access control. “The user needs to be authorized for the requested information before the server provides it,” he says.
Healthcare Sector Vulnerabilities
The healthcare industry across the globe is particularly vulnerable to security incidents. For example, numerous U.S. hospitals have been targeted with ransomware attacks.
A report from FortiGuard Labs, a security protection firm, found that in 2018, healthcare organizations saw an average of almost 32,000 intrusion attack attempts day per, compared to 14,300 per day in other sectors. Healthcare organizations on average spend only half as much on cybersecurity as those in other industries, FortiGuard reports.
India’s Ministry of Health and Family Welfare has introduced draft legislation titled Digital Information Security in Healthcare Act. The act seeks to regulate the generation, collection, storage, transmission, access and use of all digital health data. it's not yet clear when Parliament will vote on the proposal.