Bengaluru: A cybersecurity flaw on the website of a well-known hospital chain in Bengaluru put confidential patient data at risk of exploitation by cybercriminals, according to a complaint filed with the Indian Computer Emergency Response Team (CERT-In).
On August 12, CERT-In registered the complaint after Sourajeet Majumder, a cybersecurity researcher, flagged the vulnerability in a sub-domain of the Sagar Hospitals website. Separately, the National Critical Information Infrastructure Protection Centre (NCIIPC) acknowledged the issue in an August 9 communication with Majumder and promised a resolution.
DH has reviewed the emailed responses from the two agencies.
The vulnerability could have given hackers access to diagnosis reports, containing patients’ confidential information, including name, phone number, age, gender, Unique Health Identifier (UHID), bed and ward number and detailed test results. Even confidential reports of minors and senior citizens were at risk.
The vulnerability existed in an extension to the hospital’s official website. Majumder detected it after scanning the QR code in the physical lab report of a friend admitted to the hospital’s Jayanagar branch.
When scanned, the QR code would direct the patient to a section of the hospital website from where soft copies of lab reports could be downloaded without OTP or other verification.
According to Majumder, hundreds of patient reports were at risk of potential misuse.
With branches in Jayanagar and Kumaraswamy Layout, Sagar Hospitals is accredited by the National Accreditation Board for Hospitals and Healthcare Providers (NABH) and the National Accreditation Board for Testing and Calibration Laboratories (NABL), according to its website.
What’s the vulnerability?
According to Majumder, the vulnerability is called Insecure Direct Object Reference (IDOR).
“It is a type of access control vulnerability that occurs when an application provides direct access to objects (such as files, database records, etc) based on user-supplied input, without sufficient validation or access control checks,” he told DH. “This vulnerability can allow an attacker to gain unauthorised access to objects or data.”
Using this vulnerability, a hacker could have downloaded unmasked soft copies of lab reports. After DH contacted the hospital on August 14, it disabled access to the sub-domain.
Implications
For a layperson, the vulnerability may seem technical but not for hackers, who, according to Majumder, can use tools to discover sub-domains associated with the primary website and exploit them.
“Sometimes patients share their lab reports on social media or public forums, not realising the risks,” he said, recommending that hospitals introduce two-factor authentication (password and OTP verification) to safeguard the data.
What hospital says
“We have connect (sic) with our legal team and they will internally investigate the whole thing and will get back to you,” said Jaba M Roy, general manager (branding, media and communication), Sagar Hospitals.