Fresh problems with ManageMyHealth online security - an expert analysis

ManageMyHealth was facing a deadline of 5am today to pay US$60,000 to regain control of about 400,000 private files belonging to about 120,000 patients. That deadline passed without any update on the hacker’s communication feeds.

A hacker who goes by the name “Kazu”, who claimed to be behind the breach, told the Herald on Tuesday that he was in the job for the money and was negotiating with ManageMyHealth to get it.

Burns said ManageMyHealth systems showed gaps in the basic security controls expected for organisations handling sensitive health data.

“None of this is exotic. These are baseline controls.”

He said ManageMyHealth had inadequate protection around email, domains and patient portals, so that even predictable risks such as phishing and impersonation were not well controlled.

Its email vulnerability appears to have been highlighted already by Deputy Privacy Commissioner Liz MacPherson and ManageMyHealth owner Vino Ramayah.

MacPherson told BusinessDesk that the Office of the Privacy Commissioner (OPC) had received an anonymous email about ManageMyHealth in June last year that claimed names, email addresses and passwords were “exposed by the ManageMyHealth platform”.

Ramayah told RNZ that the hackers “got in through the front door”.

The Herald has asked ManageMyHealth for comment on Burns’ analysis. It has yet to respond.

The concern raised by Burns is that, once a breach has occurred, the attackers have gained knowledge about who the users are and how the system works.

He said weak controls make secondary attacks, such as phishing, impersonation, and credential harvesting, more likely.

Burns said the portal’s “DMARC” setting was at “monitoring only”.

DMARC is an email security policy that tells receiving mail servers how to handle messages that claim to come from a domain but fail authentication checks.

He said ManageMyHealth’s DMARC policy was set to “p=none”, which means the email domain was easily spoofed: malign users can create emails appearing to come from the domain that are monitored and reported, but not blocked or quarantined.

He said it was a setting often used during testing but which provided “no active protection”. DMARC should be set to “p=quarantine” or “p=reject” so that unauthenticated emails were treated as suspicious or invalid.

After a breach, hackers have usually confirmed user email addresses and contextual information. According to Burns, this makes phishing campaigns more targeted and more convincing.

Tight DMARC settings take out an entire class of impersonation attacks, making it harder for attackers to abuse the legitimate domain name.

DKIM digitally signs outgoing emails so recipients can verify that messages were authorised by the sending domain and were not altered in transit.

Burns said ManageMyHealth used 1024-bit RSA keys for DKIM signing, and that this key size was now considered below modern recommended standards.

2048-bit keys should be expected, and anything less reflected low “security hygiene” in a system carrying sensitive information.

MTA-STS allows a domain to declare that emails sent to it must use “encrypted transport” and that delivery should fail if encryption cannot be established.

Burns said he found ManageMyHealth’s MTA-STS configuration was missing or broken, meaning encryption was not strictly enforced between mail servers.

It meant there was “no policy-level insistence”, which he believed was harder to justify for health-related communications.

Burns said the combined effect of lax DMARC, weak DKIM practices, and absent MTA-STS increased the risk that patients might receive “convincing emails that appear legitimate”, especially after a breach.

The controls exist to make attacks more complex or costly to hackers, and their absence or deficiency lowered the bar, he said.

Security headers are instructions sent by a website to a user’s browser that control how content is loaded and how the site can be embedded or interacted with. Burns said some patient-facing ManageMyHealth portals lacked key headers or had them inconsistently configured.

Headers can reduce the impact of certain types of attack by limiting what browsers will execute or accept. He said missing headers showed basic security steps were missing, particularly for login portals.

The CSP restricts the scripts, styles and resources a browser can load for a website.

Burns said the CSP was either missing or configured in “report-only” mode on some ManageMyHealth internet addresses or entry points, such as website pages and login portals.

Report-only mode logs violations but does not block them. Burns said the CSP could help prevent damage from malicious code.

Not enforcing it could leave browsers without clear instructions on what should be trusted.

Stand back - it’s an acronym within an acronym: HTTP Strict Transport Security (HSTS) tells browsers a site must always be accessed over encrypted HTTPS connections.

Burns said weak or disabled HSTS settings meant browsers would inconsistently enforce encrypted connections.

Without strong HSTS settings, a user’s browser isn’t being told to always use secure, encrypted versions of sites. That could lead users to insecure or incorrectly routed connections without realising it, Burns said.

DNSSEC helps make sure that, when your device looks up a website’s address, it’s being sent to the real site, not a fake or altered one.

Burns said ManageMyHealth’s DNSSEC was partially configured on the main domain and absent on patient portal subdomains.

It does not prevent all attacks and is not universally deployed, but Burns said systems dealing with sensitive data, such as health information, needed layered defences, including this.

Subdomains such as app.managemyhealth.co.nz and portal.managemyhealth.co.nz are where users actually log in and access their records.

Burns said these endpoints had “weaker protections” than the main public website, yet it should be the other way around: the most sensitive systems should have the strongest controls.

He said hackers focused on login portals - the subdomains - and not marketing pages.

Certificate Authority Authorisation (CAA) records let a website owner choose which trusted companies are allowed to issue security certificates for their site.

Those certificates use TLS, which stands for Transport Layer Security – the technology that creates the secure “padlock” connection between your browser and a website.

Burns said CAA was on the main site but missing on some login portals.

Without it, a wider range of authorities could issue certificates, which increases risk and exposure if one is compromised or misused. He said it took little effort but reduced risk and should be a given on security-sensitive domains.

Burns said ManageMyHealth appeared to be running several email systems at once, with overlapping and incomplete settings.

This increases the chances of authentication failures and delivery errors, and it’s harder to block fake emails. He said this was particularly important during a breach response when trusted communication was critical.

When someone tries to access a web link that doesn’t exist, they get a “404″ error. But Burns found that some responses from the ManageMyHealth server gave a “403 Forbidden” response.

That raises a security issue because, even though access is blocked, it can confirm where the sensitive file paths are, and allow hackers to map parts of the system’s structure. Over time, that can make further attacks easier.

Burns said the email system used to notify patients since the hack had sent some people blank emails, suggesting a failure in the template used to notify people.

It meant some patients who needed to know if their information had been compromised could still be uninformed, he said. Rather than rely on email, he said people should call ManageMyHealth’s helpline directly, or their GP, to find out if they’re affected.

The Herald has asked ManageMyHealth for the 0800 number it said it was setting up in response to the hack, but the company has not responded.

Burns said his analysis showed patient portals operating under the ManageMyHealth brand also existed in Australia and India.

He ran the same checks across domains in all three jurisdictions and said there was a pattern across the sites: the main “marketing” domains had basic security configurations, but patient-facing portals, where users logged in, tended to have missing or weak protections.

Burns said recurring issues across multiple entities and countries can suggest a governance issue rather than a one-off technical mistake.

There is no suggestion ManageMyHealth accounts in Australia and India have been hacked.

Once there’s a breach, a lot of personal patient information enters the wild. At that point, Burns said, there was a high risk of impersonation, phishing and social engineering.

He said the controls he studied were intended to stop those attacks. Individually, each gap might seem minor, but collectively they raised concerns about basic security protections.

David Fisher is based in Northland and has worked as a journalist for more than 30 years, winning multiple journalism awards, including being twice named Reporter of the Year and being selected as one of a small number of Wolfson Press Fellows to Wolfson College, Cambridge. He first joined the Herald in 2004.

Sign up to The Daily H, a free newsletter curated by our editors and delivered straight to your inbox every weekday.