A doctor and practice software that has been certified many times has not protected far more than a million patient data well enough. The portal has been temporarily disabled.
A doctor and practice software from the Berlin company Doc Cirrus has made more than one million patient records visible to unauthorized persons due to massive security gaps. The IT collective Zerforschung found out and informed the responsible authorities and the company itself. As a result, Doc Cirrus shut down the portal completely at the end of June.
As Zerforschung explains, with a little technical expertise, the most personal documents from more than 270 medical practices and personal data on all around 60,000 patients could be viewed. Doc Cirrus assures that the gaps have largely been fixed and that the services are largely back in operation.
Encryption yes, but easy to circumvent
As Zerforschung explains in a detailed blog entry, it is about software called inSuite, which is intended to make work easier for doctors. It contains tools for organizing everyday practice, but also enables laboratory results to be exchanged with patients or other practices and can store digitized patient files. A so-called “data safe” is used for this purpose, a small server for the practice that should not be accessible via the Internet. Instead, access is via a central Doc Cirrus service. The provider assures that the communication is protected by end-to-end encryption.
Exactly this promise is therefore only partially kept and the remaining protection could be completely undermined. According to Zerforschung, only the list of documents to be retrieved and the associated links are transmitted in encrypted form. The documents themselves are not end-to-end encrypted. However, the research group found that they could easily force the server to omit encryption entirely.
In this way, they were able to call up lists of all patients and all documents at every practice. Accordingly, invoices issued by the practices, activities such as diagnoses and referrals to other practices as well as certificates for communication with the TI connector were also available. Because they also got the list of practices that use the software, they came up with the huge total amount of viewable data.
The Berlin data protection officer responsible informed NDR and WDR that the disclosed security gaps were to be classified as “considerable”. Doc Cirrus assures that analyzes of logs and access patterns would have given no reason to assume that data was viewed or accessed by unauthorized third parties apart from Zerforschung’s activities. We apologized to those affected for the loss of service.
NDR and WDR also point out that Doc Cirrus seems to prove the supposed quality and safety of the product with a large number of certificates. However, none of these relate to data protection. According to the Federal Data Protection Commissioner, the data security should be checked by the medical practices themselves.
