It’s Way Too Easy to Hack the Hospital

I&#x27;ve been in Healthcare IT for a decade and a half or so, and I think there&#x27;s definitely a reckoning coming with regard to the lapses in security.<p>I think honestly, the only thing that&#x27;s kept this from being a problem with greater consequence is that to date it hasn&#x27;t been clear that there&#x27;s a real path to monetization of health data. It&#x27;s been a lot more profitable to chase down credit card #&#x27;s and mass email&#x2F;password combinations that lead to banking access.<p>I&#x27;ve long wondered when a solid monetization strategy for health data would show up and we&#x27;d see a quick rush to target these datasets. Trends that I see that make me think we&#x27;re getting closer:<p>1. Systems are increasingly net-connected, obviously. In some ways it&#x27;s increasing security (literally most hospitals I&#x27;ve been in you could plug into any ethernet port in the building and be on a network where pretty sensitive data is sent in the clear), but it&#x27;s making these systems available to a larger number of interested attackers<p>2. Patients have accounts now. Health data is suddenly a not-insignificant source of email&#x2F;password combinations for patients (previously just employees). Pretty reasonable to expect that health systems may be the source of future Gawker-style breaches for collecting poorly protected user credentials that can be used elsewhere.<p>3. The uptick and cost-effectiveness of encryption-ransomware, personal and corporate. It&#x27;s been interesting to see cases where the data itself isn&#x27;t monitezed because it has some broad market value, but solely by threatening the owners with it&#x27;s release or exposure. I won&#x27;t be surprised if Healthcare organizations or individual patients find themselves victims of extortion either by threatening to publish sensitive health data, or to destroy it.<p>There is (finally) an extra-linear increase in attention to this issue in Health IT, but there&#x27;s also quite a large backlog of debt and an enormous number of systems deployed that were built for a different reality than current exists.

Many people throw hospital security into the pile of &quot;well, lots of people don&#x27;t care about infosec!&quot; In my opinion, this stance is incorrect.<p>I&#x27;ve performed security assessments against many different industries, including banks, large enterprise, barely-funded startups, nuclear power facilities, law firms, hospitals, and more. In each of these fields, you see the &quot;good guys&quot; and the &quot;bad guys&quot; in terms of IT security strength. In hospitals, though, <i>the whole field</i> is terrible. The best of the best -- high-tech facilities that actually care about security -- are still doing terribly compared to the average large enterprise.<p>Health records are becoming more valuable, and not just because of blackmail. Insurance fraud and identity theft are feasible if you&#x27;ve stolen someone&#x27;s health records, and the information stored within is only getting broader.<p>Hospitals wouldn&#x27;t let their medical tech slip this far. They shouldn&#x27;t let their security slip, either.

Forget about hacking devices. We once walked into a hospital to talk to nurses and show them a tablet app to access notes lab results etc.<p>The scary part was that the server room with the PACS and everything else in the building was unprotected with unlocked doors and nobody particularly caring we were there.<p>Imagine walking into a random law firm and walking into the server room with the ability to copy all data from all the clients.<p>Not cool, at all.

“I appreciate you wanting to jump in,” Rick Hampton, wireless communications manager for Partners HealthCare System, said, “but frankly, some of the National Enquirer headlines that you guys create cause nothing but problems.”<p>This right here is the problem - Researchers unveiled serious threats in the hardware - the ones described in the article could all be used to kill. And the response to that? &quot;Shut up, you&#x27;re scaring people&quot;.<p>Those headlines should be scaring people because they are scary!

Elliot in the Mr.Robot tv-series explains why <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=g6gG-6Co_v4" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=g6gG-6Co_v4</a>

<i>Basically, they would log on from their control server in Eastern Europe to a blood gas analyzer; they’d then go from the BGA to a data source, pull the records back to the BGA, and then out. Wright says they were able to determine that hackers were taking data out through medical devices because, to take one example, they found patient data in a blood gas analyzer, where it wasn’t supposed to be.</i><p>Not to minimize the problems with the BGA or with other devices, but this points at least as much to a problem with the &quot;data source&quot;, which is left unidentified in TFA. One reason the BGA wouldn&#x27;t be worried about protecting PII might be that... it should never have PII in the first place. There&#x27;s a HIPAA violation somewhere, but I don&#x27;t think it&#x27;s in the BGA, and the BGA isn&#x27;t the only host that&#x27;s assuming a safe network.<p>Target, Home Depot, etc. have been justifiably criticized for operating their POS devices as if firewalls could possibly be sufficient to protect a large network. Hospitals might consider themselves more noble than mere stores, but it doesn&#x27;t make a difference to a hacker.

Few people care about IT security; it&#x27;s not just in healthcare. It doesn&#x27;t matter how high the stakes are, for some reason people just don&#x27;t feel threatened. To see the pattern think of the attitude in almost every context you can think of:<p>* Business<p>* Individual citizens, who seem to care little about the confidentiality of their personal information<p>* Government<p>* Developers of most software. Even RSA was hacked.<p>* Even national security organizations: The OPM hack; Snowden walking out of the NSA with all that secret data; CIA leaders taking home top secret information, etc.<p>Perhaps it&#x27;s human nature. On the other hand, when it comes to physical security, people often tend to overreact.

Good god that is an ugly article. I thought the page didn&#x27;t load properly at first.

I&#x27;ve been working in this sector for a year and this certainly aligns with everything that I&#x27;ve seen so far.<p>Luckily some vendors are starting to take security very seriously (by hiring people like me, for example).

I think there are two components to this:<p>First, HIPAA requirements are in part IT requirements. Every single hospital works really hard to comply with these, because there are huge fines if they don&#x27;t. Some of the problems with hospital IT security might be due to defects in the already quite onerous HIPAA specification.<p>The second is that hospitals are extremely low-margin institutions. Most hospitals (even the really big ones) just break even, especially if they&#x27;re teaching hospitals or serve poorer areas. IT security doesn&#x27;t really produce any revenue.<p>I agree it&#x27;s a problem. This needs a systemic solution–who would pay for IT fixes? Reimbursement is declining and government payment sucks. Most hospitals are in crisis mode as it is.

In a sense the name says it all: HIPAA&#x27;s about Portability and Accountability, less about security.<p>I worked on a few security consulting projects in healthcare. The HIPAA security rule is way more vague about actual controls than a rational person would assume; much more than analogous regulations on financial data (e.g. PCI-DSS). The HITECH amendment added a lot of breadth regarding which parties must comply, but did little to proscribe specific controls. Most providers, contractors, etc. use a framework called HITRUST that attempts to identify and map actual security controls to HIPAA, but even that is not super actionable.<p>One of the hardest problems to solve is the immediate criticality of patient data. You absolutely cannot have someone die because a nurse or doctor forgot their password and couldn&#x27;t look up medical history. Makes practitioners resist adoption, and you end up with &quot;break the glass&quot; (emergency security bypass) functionality on a lot of sensitive systems&#x2F;data.

The idea of setting up an open hardware lab for these devices, and some kind of bake-off, is awesome.<p>Also, I wish someone could do a medical device network security system -- it really isn&#x27;t the core competency of any of the hardware vendors, and yet is something you can&#x27;t get wrong. The public protocols (DICOM, HL7, etc.) are at best baroque and don&#x27;t include the details which matter to security. I wish this didn&#x27;t have to be a company -- it really could be something funded by NIH or a consortium of device vendors or medical institutions -- but it probably has to be in order to be effective. There&#x27;s a need for an open standard for medical device security over top of all this, but rather than just publishing a standard, it would be easier to provide working end to end network from device to information system.

My university IT (which also runs a huge hospital network) seems to have no idea how to secure their data. Their solution is to encrypt everything, as if disk encryption and VPNs are enough to prevent data theft. They rolled out a csmpus-wide VPN requirement recently based on a Juniper networks system - the exact same system that led to the Anthem data breach that lost 80 million patient records (because Juniper had a slow patch cycle after Heartbleed). No two-factor auth on the VPN, so any one of 50,000 employees with phished credentials could give an attacker VPN access. Meanwhile all the actual patient databases are old, leaky systems they seem uninterested in upgrading. Sheer lunacy.

This is, to a large extent, scaremongering. While there are some valid points made in the article, the article fails to differentiate between security problems that can be exploited by trolls or single, untrained individuals, and ones that take a powerful team working on behalf for a government or other such group to exploit. It&#x27;s the difference between the hospital being defended against your average thief, and being defended against a strike squad of ninjas. Despite this, the article does make good points when it comes to the lack of worry about the problems they found. Even though these vulnerabilities may be over hyped, they are real and the lack of focus on these vulnerabilities is chilling. The real underlying problems for this stem not from an industry that leaves bugs in applications designed for high security, but in the fact that the industry doesn&#x27;t realize that security needs to be the default, whether or not you see exploits being used.

Medical services is one of the worst sectors with very poor &#x27;right&#x27; investments in technology.<p>There are many gaps while some significantly standout compared to others.<p>* As highlighted in this article, Security is a huge issue. Given the sensitivity of the data, the sad state of infrastructure does not do any justice.<p>* A lot of the infrastructure is still paper based. The digital revolution is way behind its time in this sector.<p>* Medical sciences which is supposed to revolutionize has most of its spend in regulations rather than technology. The advancements in science are excruciatingly slow. Drug discovery has slowed down tremendously.<p>Not to mention, the poor patient-experience and lack of reach of medicine to the poorest of society.

At one of the hospitals I work at they have thousands of computers still running Windows XP and IE 6 that are insecure. It would be very easy to hack.

AFAIK drchrono is the only major electronic healthcare record provider that has a bug bounty program.

The &#x27;glitch&#x27; CSS on this page is a great touch! Good work, Bloomberg!