Government Fixes Security Flaw in eHospital Portal That Was Exposing Data of Millions of Patients

The government has fixed a server-side issue within its cloud-based hospital management information system called eHospital that was exposing personally-identifiable data including full name, age, date of birth, gender, and phone number of a large number of patients. The exposed data also included patients' medical history and their last visited hospital details, according to a researcher who informed about the issue to Gadgets 360. The eHospital portal is meant for digitising records of government hospitals and register medical facilities as well as doctors on a single platform.

Ukraine-based independent security researcher Bob Diachenko discovered the data exposed from the eHospital portal due to a misconfigured Elasticsearch cluster. He informed Gadgets 360 that due to the misconfiguration, the portal was allowing anyone on the Internet to access personal data of millions of registered patients.

Immediately after understanding the issue, Gadgets 360 reached out to the National Informatics Centre (NIC) — the developer behind the eHospital portal. The NIC team resolved the issue shortly after it was reported, and confirmed to Gadgets 360.

Due to the misconfigured cluster, a bad actor could have been able to steal patient details stored on the portal.

"At times, DevOps forget to close the permissions, opened for live data access for fixing the problem. It sometimes leads to temporary data leak and is identified by ethical hackers and cybersecurity researchers. They inform concerned organisations to plug the issues. In this case, the issue of access to data was immediately closed as soon as it was reported by cybersecurity researcher. We are thankful to them for timely reporting of the issue and confirming its closure as well," an NIC official told Gadgets 360.

According to the statistics available on the eHospital dashboard, the portal registered over 4.83 million patients across India in the month of April and ​​processed over 2.48 billion transactions since its launch in 2015. There are also over 631 hospitals on board, which include both state and central government hospitals.

The government launched eHospital as one of its initiatives to digitise governance in the country.

In November last year, the Union Health Ministry started digital registrations of all medical facilities and doctors under the Ayushman Bharat Digital Mission. The government made eHospital by NIC as well as e-Sushrut by Centre for Development of Advanced Computing (C-DAC) as the two solutions to digitise health records for hospitals, according to news reports.

Back in 2017, some security flaws within the eHospital Online Registration app had allegedly allowed a Bengaluru-based software engineer to access Aadhaar numbers and personal details of citizens. Cybersecurity experts at the time highlighted that the app was not encrypting its communication with NIC's servers. The NIC, as a result, had pulled the app altogether.