Health IT, Hospitals

SAP mobile EMR was exposed to hacks

German software giant SAP recently fixed two potentially dangerous flaws in a mobile medical app […]

German software giant SAP recently fixed two potentially dangerous flaws in a mobile medical app that could have allowed malicious hackers to upload fake patient data, Computer World reports, a development that underscores the serious security issues at hand for healthcare, no matter the scale of the organization.

SAP was able to fix the issues before any damage occurred, but even the potential vulnerability should indicate that even the most advanced players should proceed with an abundance of caution, lest they open themselves up to a litany of legal woes.

The flaws were found in SAP’s mobile EMR, Unwired, which includes clinical patient data like lab results and images, Alexander Polyakov, CTO of Palo Alto-based ERPScan told Computer World. ERPScan specializes in enterprise application security.

From Computer World’s Jeremy Kirk:

“Researchers with ERPScan found a local SQL injection flaw that could allow other applications on a mobile device to get access to an EMR Unwired database. That’s not supposed to happen, as mobile applications are usually sandboxed to prevent other applications from accessing their data.”

Such a flaw could have permitted someone to upload malware, perhaps eventually gaining access to the database, Polyakov told Computer World.

There was another issue that could have permitted a hacker  to “tamper with a configuration file and then change medical records stored on the server,” Kirk noted.

“You can send fake information about the medical records, so you can imagine what can be done after that,” Polyakov said. “You can say, ‘This patient is not ill’.”

Both issues were fixed about a month ago, although yet another issue was fixed just last week that could have possibly enabled someone to disrupt supply-chain reports form the field.

With hacks in healthcare seemingly a weekly routine, SAP’s potential issues show that even sophisticated companies have to tread carefully (though SAP should be credited for working quickly to fix the problems). It also highlights the notion that the push to convenience in healthcare, enabled by technology, brings with it an inherent level of risk.

Whether the industry and consumers are willing to tolerate that risk remains to be seen. There is a notion that, particularly among large organizations, getting hacked is the cost of doing business in the digital age, and that the legal ramifications and costs can be factored into big budgets (not suggesting that here, or toward any particular company). That doesn’t take into account the damage done to a brand with consumers, or customers for vendors. Nor does it work so well for smaller organizations who might not have millions in assets at the ready to deal with a lawsuit or increased scrutiny.

SAP’s potential woes come barely a week after Premera Blue Cross became the latest high-profile breach, which came barely a month after Anthem suffered the largest hack in history, affecting nearly 80 million members.

Shares0
Shares0