Another Healthcare Website Security Issue RevealedTandigm Health Reports Vulnerability in Physician Portal
In yet another sign that website security issues are far too common in the healthcare sector, Tandigm Health says a vulnerability on a physician portal potentially exposed the data of about 7,400 patients.
In a Nov. 23 notification statement, the West Conshohocken, Pa.-based coordinated healthcare company, which supports more than 1,100 primary care and specialty physicians, says it discovered on Sept. 25 a potential vulnerability in one of its websites.
A Tandigm spokesman tells Information Security Media Group that the vulnerability was in a portal that primary care physicians use to access their patients' data through a password-protected web interface.
"For security reasons, we cannot share the nature of the vulnerability," the spokesman says. "We can confirm that it has been remediated."
So far, there is no evidence that any information was subject to unauthorized access or misuse, he contends.
In its notification statement, the company says that upon discovering the vulnerability, it launched an investigation with a forensics firm to confirm whether the problem could enable someone to potentially bypass security safeguards, and, if so, what information may have been affected.
The investigation determined that information was potentially accessible April 24 to Dec. 31, 2017, the notification says. Potentially exposed information included patients' names, dates of birth, medical information and health insurance information.
To help prevent similar incidents, Tandigm says it's implemented "additional security for its internet-based platforms, provided additional and ongoing staff data security training, reviewed existing security and privacy policies, and enhanced the security protections already in place."
Tandigm is offering patients whose data was potentially exposed two years of credit monitoring at no charge.
Need for Testing
While Tandigm did not reveal specific details involving the web portal vulnerability, "the real question ought to be what level of due diligence and testing of its websites did Tandigm perform when standing them up and subsequently as they were operating over time," says Mac McMillan, president of security consulting firm CynergisTek.
"Any website by definition is subject to attackers and should be thoroughly tested, retested and monitored throughout its operating life."
Website security incidents, such as breaches involving patient data being inadvertently exposed on the internet, appear to be an ongoing problem among healthcare sector organizations.
For instance, in September health insurer Independence Blue Cross of Pennsylvania revealed a breach impacting more than 16,700 individuals involving an file containing member information that was inadvertently uploaded to a public-facing website by an employee (see: Health Data Breach Tally Shows Mistakes that Lead to Trouble).
In June 2017, the University of Iowa Hospitals and Clinics reported to the Department of Health and Human Services the discovery of a breach involving health data that was accidentally exposed on an application development website for about two years.
In that incident, protected health information of approximately 5,300 patients was inadvertently saved in unencrypted files that were posted online on the application development site.
In a few cases involving patient data being exposed on the web, regulators have taken enforcement action.
In 2016, HHS' Office for Civil Rights smacked California-based St. Joseph Health System with a $2.1 million penalty after investigating a 2012 breach that left PHI of nearly 32,000 individuals exposed to internet searches for more than a year.
And in 2012, OCR signed a $100,000 HIPAA settlement and corrective action plan with a small Arizona-based medical practice, Phoenix Cardiac Surgery, that had clinical and surgical appointments for its patients on an internet-based calendar that was publicly accessible.
Why So Common?
So, why are website security incidents so common in healthcare?
"Because all too often [websites] don't receive the attention they deserve or someone is trying to make them easier for the user to navigate and compromising on security," McMillan contends. "Convenience usually does not fit well with security."
To help avoid these issues, he suggests entities refer to web application and website security guidelines from standards organizations such as the Open Web Application Security Project and the National Institute of Standards and Technology.