A doctor in patient contact: The data found on the practice servers was potentially explosive
Photo: wutwhanfoto / iStockphoto / Getty Images
Personal data, invoices and findings – data from tens of thousands of patients in German medical practices was largely unsecured, according to the hacker collective “Zerforschung”.
The security problem existed at Doc Cirrus, a manufacturer of doctor & practice software.
The company has confirmed the vulnerability and says it has since closed it.
The company's "data safe" concept was actually intended to prevent major security leaks.
Instead of storing data centrally on the Doc Cirrus servers or with a cloud provider, the company offered medical practices their own microservers.
Doctors can process patient data directly on these computers, which are located in the practice itself, and also grant patients access to the documents relating to them via the Internet.
From email accounts to lab results
This external access aroused the interest of security researchers, who had already uncovered numerous security gaps in the German healthcare system in the past.
According to the amount of research, they noticed a number of serious problems.
On the one hand, they found the internal access data of the medical practices via the central access portal of Doc Cirrus, so that potential attackers could access the emails collected from the doctors or write emails on their behalf.
Secondly, it was possible to use a patient's access link to access all documents that were stored on the respective practice server.
As reported by NDR and WDR, the responsible Berlin data protection officer assumes that 270 medical practices and more than 60,000 patients were affected.
From these, among other things, diagnoses, laboratory values and sick leave could be called up, according to “Zerforschung” also personal data such as address and e-mail addresses found.
In a press release dated July 11, the manufacturer acknowledged security problems and initially shut down the affected services.
However, after the programming errors in the portal had been closed, Doc Cirrus saw no further need for action.
“Our analysis of logs and access patterns gives no reason to assume that outside of the Responsible Disclosure process, practice or patient information was viewed or accessed by third parties,” writes the company.
Although the hackers praise the quick response to their security report to the manufacturer, they are disappointed that the patients have obviously not been informed of the gaps and the associated risks.
They point out that potential attackers also had access to the server log files, so that a potential break-in could have been concealed.
They are also asking the data protection officer to impose a severe fine on the company.
"If a product is market-ready enough to store personal data, it must also be mature enough to keep it to itself," judges "Zerforschung".