People turn to healthcare professionals in their hour of need. Trusting them with their deepest, darkest secrets in the hope that in return, they can be restored back to health. So what would happen if this personal and private information were to get into the wrong hands?

Our threat intelligence team recently confirmed medical professional’s worst fears when discovering that Skyscape – a company specializing in online medical resources for doctors, nurses and physicians – has been haemorrhaging highly confidential PII.

The threat

Over the last decade or so, we’ve seen a huge increase in technology designed to help connect patients and medics with the invaluable information they need to research, diagnose and combat illness.
Read the full threat advisory
From informative apps and diagnostics tests, to messenger services and video sharing platforms – a wealth of new resource has been created to help healthcare professionals work together more collaboratively.
Whilst most would argue this to be an overwhelmingly good use of tech, it does raise concern over how patient data, along with other medical data, is being transmitted and stored.

About Skyscape

Skyscape – a company which offers 400+ resources over 30+ medical specialisms – has been found to be leaking the personal information of doctors, nurses and physicians as they log into the custom-built app.

Apart from the lack of data security in transit, Wandera’s investigation details how credentials have been left exposed in plaintext for anyone to misappropriate. Unencrypted usernames and passwords have been vulnerable whilst users install in-app extensions, or ‘resources’ as they’re referred to by Skyscape.
Although our threat intelligence team were able to quickly spot the vulnerability and flag it across Wandera’s global network, users without a proactive mobile security mechanism may not be so lucky.

A sickening amount of PII

The following credentials have been targeted, putting nurses, physicians and doctors in a vulnerable position:

  • Username
  • Password
  • First and Last name
  • E-mail
  • Phone Number
  • Password
  • Physical addresses
  • Places of employment
  • Profession/Speciality

Released over 20 years ago as a first medical health tool of its kind, the resource has been trusted by more than 2.6 million healthcare professionals showing the potential scale of the breach.
Healthcare breaches aren’t just a concern for mobile security organizations. A recent survey on the NHS in the UK, showed that 89% of health professionals are concerned about the cyber security threats facing the health sector, including as many as a 34% who describe themselves as ‘very concerned’.
Outdated devices and not having an accurate understanding of current device inventory can lead to some of the more common medical device cybersecurity gaps.
Wandera’s threat intelligence team decided to delve a little deeper to see if any other popular medical sites and applications were at risk, and the results were alarming. Although no vulnerable apps were detected across our global network, a range of malware ridden health apps were discovered in the official Google Play Store.
In total 191 apps were marked as at risk, with ‘Health Tips’, ‘Health Data’ and ‘Healthcare 101’ ranked amongst the worst offenders for bombarding users with in-app Adware.

ICU, looking at my health data

This isn’t the first time Wandera has detected a vulnerability with a healthcare application. Back in January, ‘iCare Health Studio’ was found to be exposing users’ PII and health data. Why is this such a bad thing you ask? Well, it opens to doors to a whole new type of discrimination.
In the United States in particular, there is a massive risk of potential economic harm resulting from personal health information breaches. Employee’s are more concerned than ever that their personal health data could be used against them.
Personal health information becoming available publicly, can lead to stigma, embarrassment, and can be exchanged for lucrative amounts on the darkweb.

Lessons learned

Wandera has already detected that a number of enterprise users have downloaded the Skyscape app who, without the mobile security service deployed, would have left their personal information vulnerable.
To minimize risk, users should avoid using any mobile applications over public and potentially insecure Wi-Fi hotspots in order to reduce the chance of of traffic interception.
The developers of the Skyscape app are advised to utilize SSL/TLS in order to protect the transmission of personally identifiable user information, session tokens, and other sensitive data to a backend API or web service.
As we’ve shown, it’s imperative that individuals and enterprises have visibility into leaking applications before it’s too late. Wandera’s pioneering web gateway for mobile allows admins to see all the data going in and out of a device so they can flag and block risky applications in real-time.

Responsible disclosure

We attempted to contact Skyscape twice over a one month period, notifying them of the data leak both times. We received no response.
[text-blocks id=”gartner-report”]