This week, a division of the National Health Service (NHS) Scotland was struck by a cyberattack, potentially disrupting services and exposing patient and employee data. Meanwhile, a researcher disclosed a Salesforce configuration error that exposed millions of Irish citizens’ COVID vaccination data from that country’s Health Service Executive (HSE).
The two incidents, separated by a quick hop over the Irish Sea, speak to the ongoing challenges healthcare organizations face in protecting patients’ most sensitive personal identifiable information (PII) and personal health information (PHI).
Salesforce Bug in Ireland’s COVID Vaccination Portal
During the onset of COVID’s Omicron variant in December 2021, Aaron Costello, principal SaaS security engineer at AppOmni, discovered a severe misconfiguration in the Salesforce-based online vaccination portal for Ireland’s HSE.
In a blog post published on March 14, he explained how an oversight allowed regular, low-level accounts belonging to HSE patients unprecedented access to the part of the system responsible for storing information about vaccine administration.
The exposed object in question included full names of patients and all information relating to their jabs: the brand of vaccine, date, location, and site at which it was administered, and any reasons they accepted or refused it.
Documents belonging to staff members, and information related to internal IT issues and processes, were also exposed.
“For Salesforce administrators and security practitioners on SaaS platforms, there was a lack of understanding of the implications of misconfigured permissions,” Costello tells Dark Reading. “They weren’t acutely aware that these things are possible — that a low-privileged user could be pulling this data.”
In the time since, Salesforce has gradually implemented a number of positive changes for preventing this kind of error and mitigating the consequences that might occur from it. A built-in health scanner attempts to uncover such vulnerabilities in customers’ environments, and more robust logging allows administrators to better analyze the activity of users, especially when they’re interacting with potentially sensitive APIs. Also, new policies and configurations attempt to conceal sensitive information, even in cases where they’re exposed by misconfigurations.
“So not only have they improved the post-breach process of log analysis, they’ve also introduced ways in which administrators can easily detect these issues with the health scanner, and also reduce the extent of exposures by reducing the scope of the data that becomes available in certain scenarios,” Costello says.
However, he warns, “There are a lot of organizations still misconfiguring these kinds of access controls to this very day. I still think there is a knowledge gap in the industry, and part of the issue is: Who’s responsible for the security of SaaS platforms? Is it the platform administrators? Do you pull in your security team when these things are being deployed to do an audit?”
Scotland’s NHS Breach
Also this week, NHS Dumfries and Galloway published an alert revealing that it is experiencing a “focused and ongoing” cyberattack.
Dumfries and Galloway is the southernmost council area of Scotland, with a population of approximately 150,000.
As a result of the breach, it warned, some services may experience disruption, and the attackers may have obtained “a significant quantity of data” belonging to patients and staff. More specific details about the cause, nature, and consequences of the breach are yet to be publicized.
Whether it’s a breach in Scotland or an overlooked system misconfiguration in Ireland, Costello says, “I think it all comes back to budget and funding. And the result of that is, firstly, understaffing for cybersecurity positions within these organizations. That is a massive, massive problem.
“We cannot point the finger solely at the employees of these organizations when they’re working under a very restricted budget and a very restricted headcount. They’re doing their best with the resources they have available to them.”
