Government Fixes eHospital Security Flaw Exposing Data of Millions of Patients
The government has fixed a server-side issue within its cloud-based hospital management information system called eHospital that was exposing personally-identifiable data including full name, age, date of birth, gender, and phone number of a large number of patients. The exposed data also included patients’ medical history and their last visited hospital details, according to a researcher who informed about the issue to Gadgets 360. The eHospital portal is meant for digitizing records of government hospitals and register medical facilities as well as doctors on a single platform.
Ukraine-based independent security researcher Bob Diachenko discovered the data exposed from the eHospital portal due to a misconfigured Elasticsearch cluster. He informed Gadgets 360 that due to the misconfiguration, the portal was allowing anyone on the Internet to access personal data of millions of registered patients.
Immediately after understanding the issue, Gadgets 360 reached out to the National Informatics Center (NIC) — the developer behind the eHospital portal. The NIC team resolved the issue shortly after it was reported, and confirmed to Gadgets 360.
Due to the misconfigured cluster, a bad actor could have been able to steal patient details stored on the portal.
“At times, DevOps forget to close the permissions, opened for live data access for fixing the problem. It sometimes leads to temporary data leak and is identified by ethical hackers and cybersecurity researchers. They inform concerned organizations to plug the issues. In this case , the issue of access to data was immediately closed as soon as it was reported by cybersecurity researcher. We are thankful to them for timely reporting of the issue and confirming its closure as well,” an NIC official told Gadgets 360.
According to the statistics available on the eHospital dashboard, the portal has so far registered over 4.83 million patients across India and processed over 2.48 billion transactions. There are also over 631 hospitals on board, which include both state and central government hospitals.
The government launched eHospital in 2015 as one of its initiatives to digitize governance in the country.
In November last year, the Union Health Ministry started digital registrations of all medical facilities and doctors under the Ayushman Bharat Digital Mission. The government made eHospital by NIC as well as e-Sushrut by Center for Development of Advanced Computing (C-DAC) as the two solutions to digitize health records for hospitals, according to news reports.
Back in 2017, some security flaws within the eHospital Online Registration app had allegedly allowed a Bengaluru-based software engineer to access Aadhaar numbers and personal details of citizens. Cybersecurity experts at the time highlighted that the app was not encrypting its communication with NIC’s servers. The NIC, as a result, had pulled the app altogether.
For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.
BGMI Basic Dynamo Voice Pack Announced, Krafton Bans Over 50,000 Cheaters