NHS Breach, HSE Bug Expose Healthcare Data in the British Isles

  /     /     /  
Publicated : 23/11/2024   Category : security


NHS Breach, HSE Bug Expose Healthcare Data in the British Isles


Whoopsies in Ireland and Scotland speak to a tenuousness of cyber protections for sensitive private healthcare data.



This week, a division of the National Health Service (NHS) Scotland was struck by a cyberattack, potentially disrupting services and exposing patient and employee data. Meanwhile, a researcher disclosed a Salesforce configuration error that exposed millions of Irish citizens COVID vaccination data from that countrys Health Service Executive (HSE).
The two incidents, separated by a quick hop over the Irish Sea, speak to the ongoing
challenges healthcare organizations face
in protecting patients most sensitive personal identifiable information (PII) and personal health information (PHI).
During the onset of COVIDs Omicron variant in December 2021, Aaron Costello, principal SaaS security engineer at AppOmni, discovered a severe misconfiguration in the Salesforce-based online vaccination portal for Irelands HSE.
In
a blog post published on March 14
, he explained how an oversight allowed regular, low-level accounts belonging to HSE patients unprecedented access to the part of the system responsible for storing information about vaccine administration.
The exposed object in question included full names of patients and all information relating to their jabs: the brand of vaccine, date, location, and site at which it was administered, and any reasons they accepted or refused it.
Documents belonging to staff members, and information related to internal IT issues and processes, were also exposed.
For Salesforce administrators and security practitioners on SaaS platforms, there was a lack of understanding of the implications of misconfigured permissions, Costello tells Dark Reading. They werent acutely aware that these things are possible — that a low-privileged user could be pulling this data.
In the time since, Salesforce has gradually implemented a number of positive changes for preventing this kind of error and mitigating the consequences that might occur from it. A built-in health scanner attempts to uncover such vulnerabilities in customers environments, and more robust logging allows administrators to better analyze the activity of users, especially when theyre interacting with potentially sensitive APIs. Also, new policies and configurations attempt to conceal sensitive information, even in cases where theyre exposed by misconfigurations.
So not only have they improved the post-breach process of log analysis, theyve also introduced ways in which administrators can easily detect these issues with the health scanner, and also reduce the extent of exposures by reducing the scope of the data that becomes available in certain scenarios, Costello says.
However, he warns, There are a lot of organizations still misconfiguring these kinds of access controls to this very day. I still think there is a knowledge gap in the industry, and part of the issue is: Whos responsible for the
security of SaaS platforms
? Is it the platform administrators? Do you pull in your security team when these things are being deployed to do an audit?
Also this week, NHS Dumfries and Galloway
published an alert
revealing that it is experiencing a focused and ongoing cyberattack.
Dumfries and Galloway is the southernmost council area of Scotland, with a population of approximately 150,000.
As a result of the breach, it warned, some services may experience disruption, and the attackers may have obtained a significant quantity of data belonging to patients and staff. More specific details about the cause, nature, and consequences of the breach are yet to be publicized.
Whether its a breach in Scotland or an overlooked system misconfiguration in Ireland, Costello says, I think it all
comes back to budget and funding
. And the result of that is, firstly, understaffing for cybersecurity positions within these organizations. That is a massive, massive problem.
We cannot point the finger solely at the employees of these organizations when theyre working under a very restricted budget and a very restricted headcount. Theyre doing their best with the resources they have available to them.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
NHS Breach, HSE Bug Expose Healthcare Data in the British Isles