When weak web security can expose medical records

What happens when a networked system to view and manage medical records has critical weaknesses.

With recent reporting showing the ineffectiveness of breach disclosure laws on the rate and scope of data losses, what sort of teeth will HIPAA and similar laws have when electronic health records are compromised in similar numbers and scope.

One of the biggest concerns for the Information Security professional is the introduction and spread of online health records management and storage. One of the first major projects to enter this field in an effort to tie together existing systems and provide a means for consumers to access their records was Microsoft's HealthVault, released in late 2007. Not to be outdone, Google's own offering, Google Health was released earlier this year, though both programs are marked as 'Beta' (which should be enough to pause and think about entrusting sensitive medical data to).

Ignoring for a minute the difficulties of adequately storing and securing sensitive online medical records, the biggest immediate threat is weakness in the systems used to connect to and manage these records. One such threat was recently discovered and disclosed by Ronald van den Heetkamp, after the service provider concerned, Kryptiq, dismissed the vulnerability reporting sent through by van den Heetkamp. The vulnerability information disclosed so far points to a handful of SQL injection opportunities on the Kryptiq Web site and a problem that will be of more concern for Microsoft's HealthVault.

While the Kryptiq site doesn't explicitly explain that a number of its services are built on using the Internet as the network to shift and manage data, instead calling it "a powerful, secure set of communication tools based on familiar technologies", but the [[xref:http://www.kryptiq.com/assets/marketing/HealthVault_Demo/Kryptiq%20HealthVault%20Demo.htm |demo]] of their Connect IQ portal clearly shows that sensitive patient data is being managed from a Kryptiq subdomain.

It is likely that other providers have similar vulnerabilities and it shows that even if a central store of data is relatively secure (such as a back end database), if the systems connecting to that data store are not secure, it can lead to information loss as if the central data store was not secure.

There is nothing to say at this stage that HealthVault has been compromised, or has other critical weakness, but it might as well be if a compromised third party can extract any data stored within it. With increasing demands to store health records electronically and make them available across networks, this risk is only going to increase in the future and may pose a greater problem than the risk of Identity theft/financial theft. You can always be refunded money or have your credit record corrected, you aren't going to be able to do that with your health records.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Carl Jongsma

Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?