Jun 07 2024

The IDOR Vulnerability Explained: What Healthcare Organizations Need to Know

Insecure Direct Object Reference vulnerabilities provide a threat to healthcare organizations by potentially compromising access controls for electronic health records and provider payments systems.

When phishing attacks infiltrate a popular messaging app like Microsoft Teams, organizations in industries such as healthcare must ramp up their cybersecurity training for providers and IT staff.

A type of phishing vulnerability called Insecure Direct Object Reference (IDOR) exposes assets of a website or server through manipulation of URL parameters, according to Scott Caveza, staff research engineer at cybersecurity firm Tenable. This vulnerability affected Teams because cyberattackers are able to swap external and internal IDs.

“Obtaining credentials is the nirvana state for threat actors, so they are constantly seeking new ways to steal them and acquire access to users’ accounts,” says Ryan Witt, vice president of industry solutions at Proofpoint.

Recently, cybercriminals sent more than 1,000 group chat invites using Teams, according to AT&T Cybersecurity Research. Targets were tricked into downloading attachments that contained DarkGate malware, which hackers use as a remote access Trojan horse to strike a host system, according to Caveza.

“DarkGate is often spread by phishing victims as well as by using search engine optimization poisoning to get more traffic to malicious websites hosting Windows Installer Packages of DarkGate, often disguised as other legitimate and popular software packages,” Caveza says. “By tricking users into downloading and executing the installer, attackers can hope to infect unsuspecting victims en masse.”

Click the banner below to learn why cyber resilience is essential to healthcare success.


Why Healthcare Is Vulnerable to IDOR

The healthcare industry is particularly susceptible to IDOR vulnerabilities because of the sensitive data in electronic health records that include information on diagnoses, treatment plans and medications, explains Britt Eilhardt, managing director of cyber risk solutions at insurance brokerage firm Brown & Brown. She also notes that legacy IT systems in healthcare may have outdated coding practices and weaker access controls. Healthcare providers also use web-based applications and portals to enable patient data access and communication.

“The combination of highly sensitive data, strict regulations and a complex IT landscape makes healthcare organizations a prime target for IDOR attacks,” Eilhardt says. “Due to the sensitive nature of the data involved, the potential consequences of a successful breach are far more severe in healthcare than in other industries.” 

The IDOR vulnerability is a threat to healthcare organizations because it can expose patients’ protected health information (PHI) to the wrong people, explains Daniel Blackford, director of threat research at Proofpoint.

“A user could be provided a URL to download a spreadsheet with some personal data on it, and an IDOR might allow a value in that URL to be changed and then inadvertently provide a spreadsheet corresponding to a different user, potentially exposing PHI to someone it doesn’t belong to,” Blackford says.

EXPLORE: What is cyber resilience, and how should healthcare organizations approach it?

How to Protect Healthcare Teams Users From IDOR

Teams is a popular corporate tool for messaging, but with its ability to support messages from external users, it can also be vulnerable to attack. Using a random or globally unique identifier, or GUID, can protect data patterns in object names, says John Shier, field CTO for threat intelligence at Sophos. These unique identifiers consist of very long alphanumeric strings.

“As opposed to using a direct object reference, as in the exact key or the exact filename or the exact user ID, you should be using random identifiers,” Shier says. “That’s a way of protecting the data and obfuscating any kind of data patterns that might exist in the object names if they are things like user IDs,” Shier says.

Britt Eilhardt
Due to the sensitive nature of the data involved, the potential consequences of a successful breach are far more severe in healthcare than in other industries.”

Britt Eilhardt Managing Director of Cyber Risk Solutions, Brown & Brown

Experts also recommend tweaking access settings for external users in Microsoft Teams. Multifactor authentication can help secure login attempts in applications such as Teams, notes Salman Ansari, managing director for cyber risk advisory at Brown & Brown. He also recommends limiting access to certain features in Teams based on the level of trust and collaboration needed.

“Organizations can leverage guest access controls to manage permissions for external users and grant the least privilege necessary for them to contribute effectively,” Ansari adds.

“By implementing data loss prevention policies, organizations can prevent sensitive patient data from being accidentally or maliciously shared externally through Teams chats or file sharing,” Ansari says. “Organizations can monitor user activity logs to identify suspicious access attempts or unusual data sharing behavior, especially involving external users.” 

Because healthcare providers use Teams to communicate with patients and suppliers, shutting down external access may not be possible, Caveza says. Still, providers must train professionals throughout their organization on security awareness to protect against healthcare phishing and social engineering attacks, Caveza says. That includes warning users not to click on suspicious links or downloads.

Hospital IT teams should isolate malicious sessions initiated by links embedded in Teams messages, Witt says.

Best Practices on Protecting Against Healthcare Phishing

Caveza recommends taking classes from the Open Worldwide Application Security Project to learn how to protect applications from introducing the IDOR vulnerability. OWASP provides recommendations on secure coding practices and input validation techniques.

Eilhardt also recommends role-based access controls to mitigate IDOR.

“By properly defining roles and permissions with RBAC, you can limit the data users can access even if they find an IDOR vulnerability,” Eilhardt says.

Organizations should take a multilayered approach to preventing healthcare phishing attacks and address specific vulnerabilities. Train staff at health systems and clinics on how to identify fraudulent invoices and payment requests, Eilhardt advises, and train nurses on how to spot fake appointment confirmations or patient record requests.

Eilhardt also recommends conducting phishing simulations and sending out test phishing emails to evaluate the effectiveness of training programs and spot areas in which employees are susceptible, she says.

UP NEXT: Learn how a robust cyber resilience strategy mitigates hospital downtime.

gorodenkoff/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.