news agency
Security vulnerabilities in applications used by clinics.  The data of millions of Poles were exposed

Security vulnerabilities in applications used by clinics. The data of millions of Poles were exposed

Security vulnerabilities in applications used by clinics.  The data of millions of Poles were exposed

Applications used by thousands of pharmacies, clinics and medical offices contained a security hole thanks to which cybercriminals could gain access to patient data – revealed Jakub Sta¶kiewicz. The author of the OpenSecurity.pl blog estimated that if the problem had not been resolved, today we could be reading “about sensitive data of millions of Poles circulating on the dark web.”

The case was revealed by Jakub Staśkiewicz, author of the blog. An anonymous reader also contributed to publicizing it and informed about security gaps in office software. Staśkiewicz decided to look into the problem and confirmed that it occurs in applications used by pharmacies, medical offices and clinics – a total of several thousand medical entities. According to the anonymous whistleblower who drew attention to the case, unauthorized persons could thus gain access to the data of up to 10 million Polish patients.

Vulnerability in applications used by medical offices. Data of millions of patients were exposed

The applications where the problem was detected are used to handle patient visits. Personal and contact details, as well as medical records were at risk of theft. Moreover, a security flaw could allow cybercriminals to gain access to the e-WUŚ system. In this way, unauthorized persons could, among other things, issue sick leaves, referrals for tests or reimbursed prescriptions.

“The problem, in a nutshell, was that the databases of these applications are available on the Internet, and access to them is always done using the same (but different for each manufacturer) credentials embedded in the code. This vulnerability is called ‘ hard-coded credentials’ and the MITRE matrix was assigned the identifier CWE-798,” explains Staśkiewicz. Unauthorized persons could gain access to data using default passwords. In some cases, users learn about them at the application installation stage. In others, they were available in the installer file.

“We were threatened with an earthquake”

Staśkiewicz determined that the targeted applications were drEryk, mMedica Asseco, EuroSoft Przychodnia and SimpleCare. The case was reported to CERT Polska – a team responding to network security breaches. The problems were corrected before the article was published on OpenSecurity.pl. Staśkiewicz estimates that the disclosure of the case by an engaged reader “saved us from an earthquake.” “Today we would probably read not about patched vulnerabilities, but about sensitive data of millions of Poles circulating on the dark web,” he adds.

Source: Gazeta

You may also like

Hot News

TRENDING NEWS

Subscribe

follow us

Immediate Access Pro