Major Security Flaw Found in Dental Patient Portal
Dental software security has become a pressing concern after a vulnerability in Practice by Numbers, a popular patient management system used in over 5,000 dental offices, exposed sensitive health records. This issue highlights the ongoing risks faced by healthcare technology providers and the need for robust security measures to protect patient information.
How the Vulnerability Was Discovered
The security flaw was brought to light by Joseph R. Cox, a patient who accessed his dental records through his provider’s portal. While using the platform, Cox discovered that he could view not only his own documents but also those belonging to other patients. This alarming issue was due to an insecure design in the portal’s document retrieval system. By simply modifying the document number in the web address, any portal user could access other patients’ files, including personal details, medical histories, and photo identifications.
The problem was exacerbated by the sequential nature of document numbers, making it trivial for someone with malicious intent to systematically access large numbers of patient records. Cox’s own medical records were equally exposed, raising urgent questions about the overall dental software security posture of Practice by Numbers.
Challenges in Reporting the Security Bug
Cox attempted to notify Practice by Numbers about the critical vulnerability. However, his efforts were met with frustration as the company provided no clear method for reporting security issues. Email addresses listed on the company’s website were inoperative, and messages sent to company founders via LinkedIn and subsequent email went unanswered. This lack of a vulnerability disclosure process is a significant weakness for a company handling sensitive healthcare data.
With no success in reaching the company directly, Cox turned to TechCrunch, who then alerted Practice by Numbers to the issue. The company responded by taking down the patient portal on April 13 to investigate and address the flaw. The portal was restored four days later, with the vulnerability confirmed as fixed.
Company Response and Remediation Steps
Chris Lau, co-founder and CTO of Practice by Numbers, confirmed that the security flaw had been patched. According to server logs, fewer than ten patients had their information exposed, and these individuals were being notified in collaboration with their dental practice. Importantly, the company found no evidence that the vulnerability had been previously exploited, suggesting Cox’s discovery was the first instance of its use.
Despite resolving the immediate security issue, questions remain about the company’s pre-launch practices. When asked, neither Lau nor co-founder and president Rohit Garg would confirm if the patient portal had undergone a formal security audit prior to its deployment. Security audits are standard practice for software handling sensitive data, helping to identify and address vulnerabilities before they can be exploited.
Broader Lessons in Dental Software Security
This incident is not isolated. In recent months, multiple companies, including fashion retailer Express and Home Depot, have faced similar situations where consumers or researchers discovered significant security flaws but struggled to report them. These cases illustrate a growing trend: as more consumers become aware of digital security, they are increasingly likely to identify vulnerabilities, but companies do not always provide a clear channel for responsible disclosure.
After the incident, Practice by Numbers indicated plans to update its website with a mechanism for reporting security issues. However, the company did not provide a specific timeline for this improvement. For companies operating in the healthcare space, establishing a transparent vulnerability disclosure program is crucial to maintaining trust and ensuring rapid response to potential threats.
Conclusion: The Need for Proactive Security Measures
The Practice by Numbers incident serves as a stark reminder of the importance of dental software security. As more healthcare providers rely on digital platforms to manage sensitive patient information, software vendors must prioritize rigorous security audits, responsive communication channels for vulnerability reporting, and ongoing monitoring to safeguard against breaches. The proactive identification and resolution of this flaw by a patient underscores the shared responsibility between technology providers and users to maintain the security of healthcare data.
This article is inspired by content from Original Source. It has been rephrased for originality. Images are credited to the original source.