14 DAY TRIAL // With healthcare and financial information being the most sought off data by hackers these days, the optimal scenario would be if an attacker could get his hands on both during the same attack.
An ideal target for such attacks would be third-party payments systems used by healthcare facilities, which are essentially a jackpot for any hacker that manages to find a security hole to exploit.
The dangers of something like this happening have been exposed by independent security researcher Randy Westergren, who recently discovered two extremely simple security holes that allowed him to view data for other users on the same healthcare service payments platform.
In his case, the researcher and his wife chose to receive medical bills electronically. These were delivered via email, and he and his wife were asked to register on the medical facility's (Christiana Care) website for an account, where they could pay their bills.
This account was actually handled by a third-party payments platform (BYL Companies, LLC) that was working with the clinic.
Payments platform allowed users to switch to any other account
Since it's hard for a security professional to abstain from looking under the hood at how sites and services work, especially if they handle his own data, Mr. Westergren quickly discovered issues with how the service operated.
He first found an insecure direct object reference in the HTTP requests that handled switching between different family members accounts. By tweaking a simple ID in the request, he discovered that he could access anyone's account without any authentication.
Later on, he also discovered a second issue, relating to some other HTTP requests which looked to contain cleartext passwords for an administrative account.
The researcher reported both issues to BYL, who remediated the problems, and promised to carry out further audits to review their application's security.
Nevertheless, an incident when one of these payments processors is hacked is bound to happen, and then the victims will be left to face both financial and medical insurance fraud.
