Government Fixes Security Flaw in eHospital Portal That Was Exposing Data of Millions of Patients

The eHospital portal registered over 4.83 million patients across India just in the month of April.

Government Fixes Security Flaw in eHospital Portal That Was Exposing Data of Millions of Patients

Photo Credit: Unsplash/ charlesdeluvio

Bad actors could have been able to steal patients' medical history and personal data

Highlights
  • eHospital was exposing data due to a misconfigured cluster
  • The portal is aimed to digitise hospital records
  • NIC is the developer and maintainer of the eHospital portal

The government has fixed a server-side issue within its cloud-based hospital management information system called eHospital that was exposing personally-identifiable data including full name, age, date of birth, gender, and phone number of a large number of patients. The exposed data also included patients' medical history and their last visited hospital details, according to a researcher who informed about the issue to Gadgets 360. The eHospital portal is meant for digitising records of government hospitals and register medical facilities as well as doctors on a single platform.

Ukraine-based independent security researcher Bob Diachenko discovered the data exposed from the eHospital portal due to a misconfigured Elasticsearch cluster. He informed Gadgets 360 that due to the misconfiguration, the portal was allowing anyone on the Internet to access personal data of millions of registered patients.

Immediately after understanding the issue, Gadgets 360 reached out to the National Informatics Centre (NIC) — the developer behind the eHospital portal. The NIC team resolved the issue shortly after it was reported, and confirmed to Gadgets 360.

Due to the misconfigured cluster, a bad actor could have been able to steal patient details stored on the portal.

"At times, DevOps forget to close the permissions, opened for live data access for fixing the problem. It sometimes leads to temporary data leak and is identified by ethical hackers and cybersecurity researchers. They inform concerned organisations to plug the issues. In this case, the issue of access to data was immediately closed as soon as it was reported by cybersecurity researcher. We are thankful to them for timely reporting of the issue and confirming its closure as well," an NIC official told Gadgets 360.

According to the statistics available on the eHospital dashboard, the portal registered over 4.83 million patients across India in the month of April and ​​processed over 2.48 billion transactions since its launch in 2015. There are also over 631 hospitals on board, which include both state and central government hospitals.

The government launched eHospital as one of its initiatives to digitise governance in the country.

In November last year, the Union Health Ministry started digital registrations of all medical facilities and doctors under the Ayushman Bharat Digital Mission. The government made eHospital by NIC as well as e-Sushrut by Centre for Development of Advanced Computing (C-DAC) as the two solutions to digitise health records for hospitals, according to news reports.

Back in 2017, some security flaws within the eHospital Online Registration app had allegedly allowed a Bengaluru-based software engineer to access Aadhaar numbers and personal details of citizens. Cybersecurity experts at the time highlighted that the app was not encrypting its communication with NIC's servers. The NIC, as a result, had pulled the app altogether.


Xiaomi 12 Pro is littered with features, but is that enough? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jagmeet Singh
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a principal correspondent for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
BGMI Basic Dynamo Voice Pack Announced, Krafton Bans Over 50,000 Cheaters
Government Warns Google Chrome Users of 'Highly Severe' Vulnerabilities, Urges to Install Latest Update
Share on Facebook Tweet Snapchat Share Reddit Comment
 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2022. All rights reserved.