Security gaps in health apps: data and identity theft were possible
Security researcher Martin Tschirsich discovered a security gap and several implementation errors in various health apps from doctors online. That comes from a report of the time. Accordingly, it was not only possible for third parties to gain unauthorized access to various health data and doctor-patient chats. The identities of the doctors were also at risk via a password reset function – if the attackers had succeeded in intercepting their e-mails. According to Sean Monks, the managing director of Monks Ärzte im Netz GmbH, this function is currently being deactivated for all medical associations, as he said on heise online. Instead, two-factor authentication will soon be used.
Tschirsich also criticizes the incorrect implementation of end-to-end encryption (E2EE) in the report. This would have allowed attackers to send malware to the doctor’s office via the apps. According to Monks, the E2EE should be active by default in the future. Previously, physicians had to enable this option first.
Behind the apps is a product that is offered under different names. Affected were “My Pediatrician” with 700,000 users, “My GynPraxis” with more than 100,000 downloads and the app “My ENT Doctor” with more than 5,000 downloads in the Playstore. Insured persons can use the apps to arrange doctor’s appointments or communicate with doctors via video consultation or chat. The Bavarian Association of General Practitioners has recently started offering the app to its members, “My GP’s Practice”.
Timely Response
One of the reasons for the security flaws was that “when we were developing locally, some code was commented out and accidentally left out before deployment,” says Monks. The bug occurred in October 2022 and was fixed within 24 hours, according to Monks. According to the Federal Office for Information Security (BSI), the company “reacted promptly after receiving the vulnerability report. The cooperation with the company as part of the “Coordinated Vulnerability Disclosure” process as well as the timely reaction and creation of a patch by the company” are to be assessed as positive from the point of view of the BSI.
According to the Zeit report, Tschirsich was previously able to count up from a patient ID to access patient data. A common and easily avoidable vulnerability. In his view, the app was not developed very professionally. After checking the log files, however, Monks can rule out the possibility that other people besides Tschirsich were gaining unauthorized access to the data.
No secure basic digital infrastructure
Tschirsich describes the fact that the identities of new medical practices and patients are not checked as more serious. The reason for this is “well known”, as he comments on the post of the time on Twitter. There is a lack of “freely accessible and secure basic digital infrastructure for the digitization of the healthcare system. The lack of secure digital identities in particular has recently had a strong braking effect in the area of contact tracing, vaccination appointments and the issuance of test, vaccination and recovery certificates,” it is already said from the statement by the security researcher for the Bundestag (PDF) from the summer of 2021.
Due to the lack of digital identities, it is possible for attackers to pose as patients in a practice or even as a practice. However, Monks emphasizes that there has been no problem with this so far. In addition to the usual data required for registration, an insurance number is also required for registration. He admitted that parts of this data, such as after the attack on the health insurance IT service provider Bitmarck in January 2023, could be available in Darknet or data thief forums.
Although the doctors usually communicate with patients they know, Monk’s company is currently working on a new method for verifying the identities of the insured. Monks also thinks it is unlikely that criminals have gained access to confidential patient data via fake accounts, which could be among the hundreds of thousands of accounts. Doctors usually know their patients personally. Another critical vulnerability was that the security key was emailed to policyholders. After an update of the apps on May 22, this is no longer possible, the key for the app can only be saved locally on the smartphone.
Verification in doctor’s office planned
Monks is grateful for the information from the security researcher. Together with the medical associations, he decided on innovations to confirm the identities of the insured. In the future, patient identification is to be carried out in such a way that insured persons download the app and are listed as “not verified” by default. Only in the doctor’s office can the insured verify themselves using a temporary QR code. Insured persons receive the QR code in the practice. Since medical practices are checked twice before using the app and not only have to state their membership in doctors online, but also their membership number from their professional association, he thinks it is impossible for third parties to pass themselves off as a practice without being noticed.
Unlike other providers such as Doctolib, Monks does not collect any data and has not been noticed by selling it to third parties. His company is not driven by investors. Back then – 20 years ago – he just wanted to offer doctors an internet platform.
(mack)
To home page