Microsoft has released a new vulnerability and patched it in Azure Health Bot, a cloud-based AI-managed platform that healthcare organizations use to develop virtual healthcare assistants. Researchers have explained how they were able to access it and what a quick fix is needed.
WHY IT MATTERS
Microsoft says on its website that the HIPAA-compliant Health Bot platform combines medical data with natural language capabilities to understand clinical terminology for use in clinical care.
Healthcare organizations can use Health Bot to create custom virtual assistants for clinical staff.
Microsoft assigned the elevation of privilege vulnerability, related to improper link resolution before accessing a file, CVE-2024-38098, on August 13. In the report, Microsoft said the vulnerability has not been disclosed or exploited and is unlikely to be exploited.
Tenable researchers obtained an access token to management.azure.com that allowed them to list the subscriptions they had access to through the application programming interface, giving them an internal Microsoft subscription ID, Information Security Magazine said on Wednesday.
The researchers contacted Microsoft on June 17 and a fix was pushed to affected environments on July 2, according to the post, which said the vulnerability was fixed by rejecting redirect status codes for data connection endpoints.
In a company blog post on Tuesday, Tenable researchers said they discovered multiple privilege escalation issues in Azure Health Bot through server-side request forgery. That allowed the researchers to access multi-tenant resources.
Tenable said its researchers were interested in data connections that would allow bots to interact with external data sources to collect information from other services a provider might be using — “such as a patient portal or a general health information reference database.”
“Based on the level of access granted, it is likely that lateral migration to other resources is feasible,” the researchers said.
They said they also found another endpoint used to authenticate data connections for Fast Healthcare Interoperability Resources endpoints that was “more or less vulnerable to the same attack.” However, the FHIR endpoint vector was not able to affect requests and access.
According to Microsoft’s August report, six of the nine zero-day vulnerabilities have been exploited.
THE BIGGER TREND
The U.S. Department of Health and Human Services requires the FHIR API to be included in all certified electronic health record systems – accessible by Azure Health Bot – under the Health IT Certification Program rules.
Because FHIR is a framework, vulnerabilities that are discovered are often traced back to how data and application developers implement it. The FHIR standard is widely accepted as part of the future of healthcare interoperability.
In June, the Office of the National Coordinator for Health Care Technology and the Health Resources and Services Administration said HRSA had begun using an FHIR-based API to streamline reporting processes and improve data quality and had been receiving data reports directly from its Unified Data System since April.
“The [United States Core Data for Interoperability, a standardized set of health data classes and elements] and Bulk FHIR are designed to provide digital glue for the learning healthcare system and fully calculable accountability for the performance of these providers in a modern big data way,” said Don Rucker, former ONC director and chief strategy officer at 1UpHealth. Healthcare IT News at the time of notification by the authorities.
ON THE RECORD
“This data connection feature is designed to allow a backend service to make requests to a third-party API,” Tenable researchers said in a blog post.
“While testing these data connections to see if endpoints within the service were interoperable, Tenable researchers discovered that many common endpoints, such as Azure’s internal Metadata Service, were filtered or not properly accessible. However, upon closer inspection, it was discovered that issuing redirect responses (e.g., 301/302 status codes) allowed these mitigations to be bypassed.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31 through November 1 in Washington, DC. Learn more and register.
