According to the BBC, the health provider was alerted to the data loss following a user discovering he had been given access to various video recordings relating to patients consultations delivered by other medics.
Looking into the issue for Digital Journal is James Carder, CSO and VP of LogRhythm Labs.
Carder begins by looking at business model of new health providers and the type of data they process: “Emerging healthtech startups must ensure that data protection is of the utmost priority, especially when sensitive patient data is collected, recorded and stored.”
He adds that: “The healthcare sector’s access to vast, valuable data types are a key target for various intelligent threat actors. Unfortunately, Babylon Health made a software error that allowed others to access intimate conversations and information on patients’ health. This data breach showcases how a basic lapse in security can compromise patient care, patient safety and trust, and sensitive clinical data.”
Carder is also concerned that the type of error is unknown, which means preventative measures for other companies become more challenging to implement: “Babylon Health has yet to disclose exactly what this software error was. The breach could have been due to a lack of segregation between patients, the improper use of a shared repository, or a basic web application security flaw allowing users to access each other’s data. Furthermore, to truly know the extent of this breach, more information as to why and how only three users were given access to the recordings should be uncovered.”
Carder moves on to the general issue of the digital transformation of healthcare and the resultant implications for cybersecurity. Here Carder notes: “Technology is more integral to healthcare than ever before as more and more organizations leverage digital transformation and adopt web-enabled applications, especially amid the coronavirus crisis. For example, Medicare has now allowed the use of telehealth to all enrollees, and the U.S. federal government has now allowed doctors to treat Medicare patients virtually across state lines.”
With telemedicine, Carder says: that “Protecting data is now more complex than ever. It is crucial that healthtech companies, such as Babylon Health, gain full visibility into their software infrastructure and source code so that lapses in security can rapidly be detected before patient care is at risk. Even though Babylon Health stated that a user found the exposed vulnerability, it is highly likely that cybercriminals, who are scouring the internet for vulnerable web applications to exploit and steal information, have already noticed and taken advantage.”
