The Limited Times

Now you can see non-English news...

Doc Cirrus: Tens of thousands of patient data were freely available on the internet


The hacker collective "Zerforschung" has found serious security gaps in a practice software. The manufacturer admits the problems, but patients were probably not informed.

Enlarge image

A doctor in patient contact: The data found on the practice servers was potentially explosive

Photo: wutwhanfoto / iStockphoto / Getty Images

Personal data, invoices and findings – data from tens of thousands of patients in German medical practices was largely unsecured, according to the hacker collective “Zerforschung”.

The security problem existed at Doc Cirrus, a manufacturer of doctor & practice software.

The company has confirmed the vulnerability and says it has since closed it.

The company's "data safe" concept was actually intended to prevent major security leaks.

Instead of storing data centrally on the Doc Cirrus servers or with a cloud provider, the company offered medical practices their own microservers.

Doctors can process patient data directly on these computers, which are located in the practice itself, and also grant patients access to the documents relating to them via the Internet.

From email accounts to lab results

This external access aroused the interest of security researchers, who had already uncovered numerous security gaps in the German healthcare system in the past.

According to the amount of research, they noticed a number of serious problems.

On the one hand, they found the internal access data of the medical practices via the central access portal of Doc Cirrus, so that potential attackers could access the emails collected from the doctors or write emails on their behalf.

Secondly, it was possible to use a patient's access link to access all documents that were stored on the respective practice server.

As reported by NDR and WDR, the responsible Berlin data protection officer assumes that 270 medical practices and more than 60,000 patients were affected.

From these, among other things, diagnoses, laboratory values ​​and sick leave could be called up, according to “Zerforschung” also personal data such as address and e-mail addresses found.

punishment demanded

In a press release dated July 11, the manufacturer acknowledged security problems and initially shut down the affected services.

However, after the programming errors in the portal had been closed, Doc Cirrus saw no further need for action.

“Our analysis of logs and access patterns gives no reason to assume that outside of the Responsible Disclosure process, practice or patient information was viewed or accessed by third parties,” writes the company.

Although the hackers praise the quick response to their security report to the manufacturer, they are disappointed that the patients have obviously not been informed of the gaps and the associated risks.

They point out that potential attackers also had access to the server log files, so that a potential break-in could have been concealed.

They are also asking the data protection officer to impose a severe fine on the company.

"If a product is market-ready enough to store personal data, it must also be mature enough to keep it to itself," judges "Zerforschung".


Source: spiegel

All tech articles on 2022-08-11

You may like

News/Politics 2022-09-05T10:41:25.196Z
Life/Entertain 2022-04-05T13:19:53.344Z

Trends 24h


© Communities 2019 - Privacy