How PHI in Healthcare SaaS is at Risk

By Beverly Nevalga, Associate Director—Content and Communications, AppOmni

Healthcare’s reimagined, patient-first experience requires data capture and greater interoperability across numerous SaaS systems. This acceleration toward digital dependence also points to a disruption of healthcare security and privacy, making SaaS-related data breaches a credible risk.

Proper configuration of enterprise SaaS apps can be overwhelming for even the most experienced security teams, not to mention managing access rights across connected SaaS apps or internal systems. All of this makes it nearly impossible to detect anomalies and investigate weak points across an ecosystem while relying on default security settings alone.

At an average cost of $9.23 million per incident, healthcare leads as the top industry for the most expensive data breach costs. Threat actors know that exfiltrating PHI data — including names, emails, passwords, and personal health information — can lead to sizable payouts. This reality coupled with the degree of connectivity among systems means the healthcare industry is more susceptible to internal and external threats.

What is PHI, and Why is it Valuable to Cybercriminals?

Protected health information (PHI) is a form of personally identifiable information (PII) that’s protected under the HIPAA Privacy Rule, a set of U.S. standards for healthcare providers, health insurers, or businesses associated with healthcare organizations. PHI can include an individual’s past, present, or future health records that were disclosed in the process of providing care-delivery services. 

Many healthcare organizations rely on cloud environments and SaaS applications to store, manage, and transmit patients’ PHI. These digital ecosystems contain a treasure trove of personal information that opportunistic hackers can extract, exploit, and easily sell for a handsome price just by using traditional methods to gain access (e.g., social engineering to impersonate a clinician). 

Once they have access, hackers employ smash-and-grab operations, lurk undetected within the victim organization’s environments, or commit ransomware attacks until financial demands are met. When this happens, business operations slow down or become completely inoperable. And even if payment is made, there is no guarantee that files will be restored or redelivered. 

The 3 Most Common Ways SaaS Hackers Steal PHI

SaaS applications are designed to be configurable and extensible, with countless 3rd party apps, IoT devices, and SaaS-to-SaaS connections interacting with them. Due to increased adoption, SaaS apps are now a favorite attack vector for malicious actors.

This happened recently when the University of California San Diego Health disclosed an unauthorized data breach that exposed PHI including patient names, dates of birth, insurance type, and reasons for visit. Its vendor, Solv Health, placed pixel-tracking analytics tools on its patient-facing websites without UCSD Health’s permission.

While threat actors can leverage different attack vectors, the most common ways to exploit PHI stored in healthcare systems include:

1. Improper Identity Privileges and Access Permissions

Administrative and privileged admin-level roles are highly attractive targets for attackers in SaaS and cloud environments, particularly for those looking to compromise a healthcare organization. Once a threat actor has gained access to a privileged role, they gain greater ability to attack and degrade capabilities within a SaaS app or SaaS-to-SaaS connections.

To help protect patient data, monitor and ensure permissions are granted appropriately to clinicians, doctors, and associates. Enforce the principle of least privilege access (PoLP). SaaS datasets could be leaked, overwritten, or corrupted as ransomware attacks proliferate and the toolsets to execute attacks, such as Phishing-as-a-Service (PhaaS), are more broadly distributed.

2. Misconfigurations in 3rd Party Apps

AppOmni research shows that more than 42 distinct 3rd party apps and integrations are connected to the average enterprise SaaS environment. These connections become invisible conduits to sensitive data (like PHI) and present a risk of lateral movement to other SaaS systems. Of those 42 applications, 22 haven’t been used in the last six months. These unused apps remain authorized until that access has been revoked.

While useful for healthcare providers and staff, 3rd party apps are hidden pathways into a health provider’s most sensitive data. After all, these apps can read, create, update, overwrite, and delete content.

Cybercriminals can pounce on the misconfiguration or availability of data and then work quickly to mass download the information. Examples of misconfiguration include granting external access via patient portals to unauthenticated or unauthorized users, improperly granting permissions internally, and leaving open file shares or configurations.

3. IoT Devices

Interconnected devices — like roaming laptops, biosensors, and implanted medical devices — should require role-based access control (RBAC) and account access to collect and house data. They send data to SaaS platforms often interconnected with other SaaS apps, creating a daisy chain of data that can be accessed by third parties without visibility to the healthcare organization.

Due to OAuth 2.0 and Auth0 permissions and delegation, 3rd party apps can be granted elevated permissions to business-critical and sensitive data like PHI. This allows SaaS apps to act “on behalf” of the user, increasing a healthcare organization’s attack vector.

Protecting PHI Crown Jewels

With patients’ PHI on the line, how can healthcare organizations deliver quality care and support while keeping the PHI crown jewels safe? Actively and continuously monitoring the SaaS security and threat posture of their SaaS applications is a solid first step. But you must also ensure proper configurations, access rights, and permission levels across your SaaS ecosystem, 3rd party apps, and IoT devices.

Understanding and addressing this risk proactively is the very reason why AppOmni was founded. We provide extensive and ever-growing coverage for SaaS applications along with continuous monitoring and threat detection capabilities that proactively detect and prevent SaaS security risks and threats from becoming security incidents.

Related Resources