In the last year, cyberattacks on hospitals have surged, putting a spotlight on the need to protect patients’ health data. But hackers don’t need to attack providers directly to get that valuable info. A new cybersecurity report shows it is remarkably easy for bad actors to steal it through third-party apps and data aggregators that tap into providers’ electronic health record systems.
Hacker and cybersecurity analyst Alissa Knight got access to more than 4 million patient and clinician records by exploiting vulnerabilities in data aggregators’ application programming interfaces, along with associated apps that track medications and share patient records — records that include demographics, lab results, medications, procedures, allergies, and more. Collectively, the tested tools can read and write data to the major EHR systems.