Personal data, invoices and findings – data from tens of thousands of patients in German medical practices was largely unsecured, according to the hacker collective “Zerforschung”. The security problem existed at Doc Cirrus, a manufacturer of doctor & practice software. The company has confirmed the vulnerability and claims to have closed it in the meantime.
The company’s “data safe” concept was actually intended to prevent major security leaks. Instead of storing data centrally on the Doc Cirrus servers or with a cloud provider, the company offered medical practices their own microservers. Doctors can process patient data directly on these computers, which are located in the practice itself, and also grant patients access to the documents relating to them via the Internet.
From e-mail accounts to laboratory results
This external access aroused interest the security researchers who had already uncovered numerous security gaps in the German healthcare system in the past. According to the post by »Zerforschung«
On the one hand, they found the internal access data of the doctors’ practices via the central access portal of Doc Cirrus, so that potential attackers could access the doctors’ collected e-mails or write e-mails on their behalf. On the other hand, it was possible to access all documents stored on the respective practice server via a patient’s access link.
Like NDR and WDR
In a press release dated 10. July the manufacturer had admitted security problems and initially switched off the affected services. However, after the programming errors in the portal had been closed, Doc Cirrus saw no further need for action. “Our analysis of logs and access patterns gives no reason to assume that outside of the Responsible Disclosure process, practice or patient information was viewed or accessed by third parties,” writes the company.
The hackers praise the quick response to their security alerts Manufacturers, however, are disappointed that the patients have obviously not been informed about the gaps and the associated risks.
They point out that potential attackers also have access to the log files of the servers had, so a potential break-in could have been concealed. They are also asking the data protection officer to impose a severe fine on the company. “If a product is market-ready enough to store personal data, it must also be mature enough to keep it to itself,” judges “Zerforschung”.