Mary Washington Hospital in Fredericksburg, Virginia has a convenient online registration system for expectant mothers. Unfortunately, a security glitch on the site exposed the private medical information of 803 patients. The records contained social security numbers, phone numbers, and birth dates.
The breach was discovered when “Mike,” the husband of an expectant mother experienced some problems with the hospital’s website. Mike discovered the records by deleting part of the long URL in his browser window. He was attempting to fix a “certificate revoked” error message that hampered his registration.
Mike viewed a couple of records and notified the record holders that their information was available on the web. One of them contacted a local sheriff, who reported the problem to the hospital. A hospital spokeswoman described the breach as a “one-time incident,” and reported that Mike was the only person to person to see the records.
This incident points out the risks associated with web-based systems. Although convenient, a simple administrative error can create a serious vulnerability. Mary Washington’s system had at least two serious vulnerabilities. The first problem was a revoked SSL encryption certificate. The certificate helps the website encrypt sessions to verify user identity and protect data.
The second problem involved file and directory permissions. In this case, an administrator allowed “directory browsing,” which means anyone can view the contents of a website directory, even though the information isn’t displayed on a web page. Mike unwittingly stumbled onto a well-known hacking procedure. By deleting parts of the website’s URL, he was able to direct his web browser to view the directory containing patient records. If the website was configured properly, he should have received a “Forbidden” error, stating that he does not have permission to access the directory.
Although web-based information systems can be useful, organizations run a significant risk if they deploy mismanaged systems. The devil is in the details, and more complex systems run a greater risk of configuration errors. System administrators should be proactive, and test their systems for any vulnerabilities that could expose protected information.