Web Portals: More Breaches Illustrate the VulnerabilitiesCredit Card Information Exposed in Latest Portal Incident
Web portals designed to provide convenient service to consumers can pose substantial security risks, as numerous breaches in recent years have clearly illustrated.
In the most recent reported portal incident, BJC HealthCare in St. Louis is notifying 5,850 individuals of a malware intrusion that compromised its payment portal and potentially exposed credit card information.
So Many Portal Breaches
But some portal security mishaps - including the massive Equifax breach in 2017 - have had a much bigger impact.
In an incident reported in October, a coding error in a portal of the Employee Retirement System of Texas, which administers retirement benefits, including health insurance, for state workers, inadvertently allowed some users to view the information of others, potentially exposing information on nearly 1.25 million of its members.
That incident currently ranks as the third largest health data breach added so far this year to the Department of Health and Human Services' Office for Civil Rights HIPAA Breach Reporting Tool website, commonly called the "wall of shame."
A spreadsheet downloadable from the federal website describing breaches for which OCR has completed investigations shows that portals were involved in at least 18 of those breaches since 2009.
"I have never seen a system or application that is completely a 'set and forget.'"
—Mark Johnson, LBMC Information Security
Looking back to 2017, the massive Equifax breach, which affected more than 163 million individuals in the U.S. and elsewhere, stemmed in part from a failure to patch a custom-built internet-facing consumer dispute portal, according to a recent Congressional report (see Equifax Breach Entirely Preventable, House Report Finds.)
And in 2016, W-2 tax form information of some employees at organizations that use outsourced payroll provider ADP was compromised allegedly due to security weaknesses involving an ADP web portal.
A variety of issues contribute to web portal security weaknesses, says John Nye, vice president of cybersecurity strategy at the consultancy CynergisTek.
Those issues, he says, include misconfigured devices and software; user authentication that is not robust; insecure application programming interfaces; and poor patch management.
In its notification statement, BJC Healthcare notes that it recently learned that information submitted through its patient online payment portal "could have been intercepted through the use of malicious computer software installed on the website. A BJC internal investigation determined that the malicious malware allowed electronic collection of payment information entered through the portal between Oct. 25 through Nov. 8.
Information that could have been acquired by attackers, BJC says, includes patient name, date of birth, billing account number, and the information of the individual making the payment, including name, address and credit card or bank account information, the organization reports.
BJC says it has no indication to date that any information was actually misused. "As a precaution, individuals whose payment information may have been exposed are advised to carefully review credit card and bank statements and immediately contact their credit card holder or banking institution about any inconsistencies or suspicious activity."
BJC, which operates 15 hospitals in Missouri, did not immediately respond to an Information Security Media Group request for additional information, including whether it was offering prepaid credit or ID monitoring services to those affected by the breach.
Steps to Take
One factor contributing to security issues in web portals is that "most organizations don't think about the total cost of running the system/application," says Mark Johnson, a former healthcare CISO and shareholder at consulting firm LBMC Information Security. "Because of that, a newly reported vulnerability may not get patched, or they may be resource constrained and they make 'risky' configuration choices - like adding too many support people as system or application admins. Finally, they may not dedicate the resources necessary to monitor these systems as closely."
Based on what BJC has publicly disclosed about its portal incident, it's unclear exactly what caused the breach, Johnson says. "If it was a problem with the portal software or some underlying system or middleware application configuration or patching, there are some basic things that everyone should look to do when they have interactive systems, especially portals, on the internet," he says.
Those steps include understanding the requirements of the system or application and reviewing and then implementing security controls that need to be in place based on the "risk of the system or application" and the type of data involved.
In taking steps to enhance portal security, Nye says, it's imporant to note that "no two organizations are alike, even two of similar size and makeup are going to have significant differences in key issues like leadership risk aversion, culture and community practice." That's why efforts to build security awareness "need to be tailored to meet what works best for each organization and even for individual departments," he says.
It's also important to monitor web portal systems on an ongoing basis.
"I have never seen a system or application that is completely a "set and forget," Johnson says. "Every system ... needs operational maintenance. Cybersecurity is a key part of that operational maintenance."