This week, a division of Scotland’s National Health Service (NHS) was hit by a cyber attack, potentially disrupting services and exposing patient and employee data. Meanwhile, a researcher revealed a Salesforce configuration error that exposed millions of Irish citizens’ COVID vaccination data from that country’s Health Service Executive (HSE).
The two incidents, separated by a quick jump over the Irish Sea, speak to the ongoing situation challenges that healthcare organizations are facing in protecting patients’ personally identifiable information (PII) and sensitive personal health information (PHI).
Salesforce bug in Ireland’s COVID vaccination portal
During the onset of the Omicron variant of COVID in December 2021, Aaron Costello, principal SaaS security engineer at AppOmni, discovered a serious misconfiguration in the Salesforce-based online vaccination portal for the Irish HSE.
In a blog post published on March 14explained how an oversight allowed regular, low-level accounts belonging to HSE patients unprecedented access to the part of the system responsible for storing vaccine administration information.
The exhibit in question included the patients’ full names and all information related to their vaccines: the brand of the vaccine, the date, place and site where it was administered, and all the reasons why they accepted it or refused.
Documents belonging to staff members and information relating to internal IT issues and processes were also displayed.
“Salesforce administrators and security professionals on SaaS platforms didn’t understand the implications of misconfigured permissions,” Costello tells Dark Reading. “They weren’t fully aware that these things were possible, that a user with limited privileges could extract this data.”
Since then, Salesforce has gradually implemented a series of positive changes to prevent this type of error and mitigate the consequences that may arise from it. A built-in health scanner attempts to uncover such vulnerabilities in customer environments, and more robust logging allows administrators to better analyze user activity, especially when interacting with potentially sensitive APIs. Additionally, new policies and configurations attempt to hide sensitive information, even in cases where it is exposed by misconfigurations.
“So not only have they improved the post-breach log analysis process, but they have also introduced ways in which administrators can easily detect these issues with the health scanner and also reduce the magnitude of exposures by reducing the scope of data that becomes available in certain scenarios,” says Costello.
However, he warns: “Even today there are many organizations that misconfigure these types of access controls. I still think there is a knowledge gap in the industry and part of the problem is: who is responsible for access?” security of SaaS platforms? Are they the administrators of the platform? Do you involve your security team when these things are implemented to perform an audit?”
The breach of the Scottish national health system
Also this week, NHS Dumfries and Galloway posted a notice revealing that it is suffering a “targeted and continuous” cyber attack.
Dumfries and Galloway is Scotland’s southernmost council area, with a population of around 150,000.
As a result of the breach, it warned, some services could suffer disruptions and the attackers may have obtained “a significant amount of data” belonging to patients and staff. More specific details about the cause, nature and consequences of the breach have yet to be made public.
Whether it’s a breach in Scotland or an overlooked system misconfiguration in Ireland, Costello says: “I think everything we return to the budget and financing. And the result of this is, first and foremost, staffing shortages for cybersecurity positions within these organizations. This is a huge, huge problem.
“We can’t just point the finger at the employees of these organizations when they are working with a very limited budget and very limited staff. They are doing the best they can with the resources they have available.”