Security gaps in various health apps have been discovered by security researcher Martin Tschirsich. In addition to unauthorized access to various health data and doctor-patient chats, the identities of the doctors were also at risk via a password reset function. This vulnerability affects popular health apps such as “My Pediatrician,” “My GynPraxis,” and “My ENT Doctor.” The app developer, Monks Ärzte im Netz GmbH, has deactivated the password reset function and plans to use two-factor authentication and end-to-end encryption in the future.
Monks also acknowledged that some code was accidentally left out before deployment, causing the security gaps. Although the company promptly fixed the bug within 24 hours, the incident highlights the need for a secure digital infrastructure for the healthcare system. The lack of secure digital identities makes it possible for attackers to pose as patients or medical practices.
To address this issue, Monks’s company plans to improve their patient identification procedure. In the future, insured persons will download the app and be listed as “not verified” by default. Only in the doctor’s office can the insured verify themselves using a temporary QR code. Monks assures that it’s impossible for third parties to pass themselves off as a practice without being noticed since medical practices are checked twice before using the app.
Despite the vulnerabilities, Monks’s company doesn’t collect any data and hasn’t sold it to third parties. The company aims to offer doctors an internet platform, not fuelled by investors.