BY Venkata Satish Guttula, CISA, CISM, CDPSE, CC.

In a recent study I conducted, I explored the cybersecurity posture of some hospital websites in India. Alarmingly, the majority exhibited critical vulnerabilities that could lead to the exposure of confidential patient data. With an average assessment time of just 30 minutes per website, here are some of the glaring issues identified:
1. Front-End Captcha Validation: Captchas are only validated client-side with no server-side checks during form submission, making replay attacks feasible.
2. OTP Submission Flaws: The form submission is contingent on OTP validation, which can be circumvented by manipulating browser elements and enabling unauthorized submissions.
3. Ineffective CSRF Protection: The absence of proper Cross-Site Request Forgery (CSRF) token validation allows the replay of form submissions.
4. Unlimited OTP Attempts: The lack of restrictions on OTP verification attempts opens the door for brute-force attacks.
5. Permanent OTP Storage: OTPs are stored indefinitely in databases rather than being time-sensitive, which poses a significant security risk.
6. Weak Password Storage: Use unsalted MD5 hashing for passwords, making them susceptible to cracking.
7. Compromised Password Integrity: Storing hashed and plain-text passwords in databases is a severe security lapse.
8. Lack of Web Application Firewall (WAF): WAFs or similar protective measures against malicious web attacks are absent.
9. No Multi-Factor Authentication (MFA): A lack of MFA mechanisms for accessing sensitive information or system functionalities.
These findings underscore a critical need for immediate and comprehensive security overhauls. Protecting patient data is not just a legal obligation but a moral one. I urge healthcare institutions to prioritize cybersecurity and adopt robust security measures to safeguard patient information against emerging threats.
Let’s advocate for more robust cybersecurity standards and practices in the healthcare sector. Your thoughts?
#Cybersecurity #HealthcareSecurity #DataProtection #PatientSafety #DigitalHealth