The government has fixed a server-side issue in its cloud-based hospital management information system, eHospital, that exposed personal identifiable data such as full names, ages, dates of birth, gender and phone numbers of large numbers of patients. The exposed data also included patients’ medical histories and hospital details about their last visit, according to a researcher who informed Advertisement Shout of the issue. The eHospital portal is designed to digitize the records of government hospitals and registered medical institutions as well as doctors. Single platform.
Ukrainian independent security researcher Bob Diachenko discovered data exposed in the eHospital portal due to a misconfigured Elasticsearch cluster. He told Advertisement Shout that due to a misconfiguration, the portal allowed anyone on the internet to access the personal data of millions of registered patients.
After learning about the problem, Advertisement Shout immediately contacted the National Center for Informatics (NIC) — the developer behind the eHospital portal. The NIC team resolved the issue shortly after reporting and confirmed to Advertisement Shout.
Bad actors may be able to steal patient details stored on the portal due to cluster misconfiguration.
“Sometimes, DevOps forgets to turn off permissions and turn on real-time data access to fix the problem. Sometimes it results in temporary data leaks that are identified by ethical hackers and cybersecurity researchers. They notify relevant organizations to fix the problem. In this case, once the cybersecurity The researcher reported a problem accessing the data and we closed it immediately. We thank them for promptly reporting the problem and confirming its closure,” a NIC official told Advertisement Shout.
According to statistics on the eHospital dashboard, the portal registered over 4.83 million patients in India in April and processed over 2.48 billion transactions since its launch in 2015. There are also more than 631 hospitals on board, including state and central government hospitals.
The government launched eHospital as one of its initiatives to enable digital governance in the country.
In November last year, the United Ministry of Health started the digital registration of all medical facilities and doctors under Ayushman Bharat’s digital mission. According to news reports, the government is targeting NIC’s eHospital and the Center for Advanced Computing Development (C-DAC)’s e-Sushrut as two solutions for digitizing hospital health records.
Back in 2017, some security flaws in the eHospital Online Registration app allegedly allowed a software engineer in Bengaluru to access Aadhaar numbers and personal details of citizens. Cybersecurity experts at the time emphasized that the application did not encrypt its communications with the NIC server. As a result, the NIC eliminated the application entirely.