Daxdi now accepts payments with Bitcoin

Your Personal Health Data Is Not Safe

(Image: Getty)

Electronic medical records are an incredible boon to care.

When necessary, doctors can obtain important information like your allergies, medical history, and known conditions, which can make all the difference in an emergency.

By the same token, letting that information fall into the wrong hands could be a serious problem.

Regulations like HIPAA aim to promote a super-high standard of security for personal medical information, with massive fines for failure.

But a fine for security failure doesn’t necessarily create security success.

Doctors and medical organizations rely on software vendors for secure systems, and as we’ve seen, software can be buggy.

Worse, the medical organizations don’t have the knowledge to correctly use the secure systems and keep them disconnected from insecure systems.

Seth Fogie, Information Security Director for Penn Medicine, performed what he called an on-screen biopsy of healthcare security in the US for Black Hat attendees.

It wasn’t pretty.

Known Problems

Fogie introduced himself, noting that he presented at Black Hat 16 years ago on the topic of Pocket PC security abuse.

That seems dated today, but as he pointed out, Windows CE and other antiquated, insecure systems are still used in the healthcare industry.

System vulnerabilities are being exploited and used.

“Patient records are being exploited and sold,” explained Fogie.

“There is monetary value.”

In the security business, you often hear about zero-day vulnerabilities, security holes that are so new nobody has seen them before.

Fogie characterized the health industry’s problems as one-day vulnerabilities.

They’re known, but not fixed.

“H-ISAC (Health Information Sharing and Analysis Center) is aware, the vendors are aware, but there’s no guarantee of remediation,” said Fogie.

He noted that no vendor names will appear in his talk.

“My aim is to bring awareness to the public, guidance to the vendors, and insight for security folks.”

The Black Hat Clinic

Fogie cast his engaging presentation as a story about a visit by Alice and Bob to the Black Hat Clinic.

Security wonks will remember Alice and Bob from the original cryptographic paper in which Rivest, Shamir, and Adelman laid the groundwork for public key encryption.

Now they’re much older, and Bob needs attention at the clinic.

Drawing on his actual experience testing security, Fogie examined seven distinct types of medical systems that could be compromised, some with disastrous results.

The story begins with an unfamiliar face appearing on the TV in Bob’s room and making a vague threat.

How could that happen? Turns out it’s not a TV; it’s a Patient Entertainment System.

As such it can handle meal orders, accept screencasts from doctors, and more.

And it’s not secure.

Medical staff these days use clinical productivity software.

Doctors’ notes go into it, as do insurance coding data, patient instructions, and more.

Fogie found a backdoor that gave access to more than 100,000 patient records.

Drug dispensing and monitoring must surely be the most secure, right? Well, no.

Fogie found an easy way in.

“We could dump usernames and passwords,” he explained, “and gain access to the drug distribution system.

We could add ourselves as a user at any level.

What a headache! We could even steal some acetaminophen.”

Fogie noted that the vendor fixed this one right away, and that they didn’t really steal any headache pills.

The litany went on.

Fogie found flaws in the temperature-monitoring system that could let a malefactor take control, resulting in ineffective meds or even poisoning.

That Nurse Call system? It’s not just a buzzer, it’s a full-scale app, and it has a hardcoded backdoor password.

As for the imaging system, they got access easily by tweaking the code to only accept the wrong password.

Finally, Fogie and his team gained full access to the “Downtime Device” that provides local information to a clinic when its datacenter is unavailable.

“That’s 225,000 patient records compromised, with little effort,” concluded Fogie.

“That could be worth $2,250,000 or even $225,000,000.

If we extrapolate this out, well, I probably could have named this a trillion-dollar issue.”

Watch the Red Flags

You might think finding security holes in medical devices and apps would take months of painstaking work, but it isn’t so.

Fogie and his team spend two to four hours looking for specific security red flags, and all too often they find them.

Among the things they look for are hard-coded backdoor passwords, which all too often contain the word “backdoor.” Seriously! Authentication that just takes place on the local device is another problem, because it’s easily hacked.

With simple tools, a testing team can view source code for apps and even modify them in place.

Fogie encouraged health care security teams to use Penn Med’s red flag techniques.

“If you have an opportunity when you’re out there doing a pen-test, look at the applications,” he said.

“You may find something interesting.” He concluded with a plea to healthcare application vendors.

“We’re talking about patient care here,” he said, “so this is a patient data privacy and security issue.

Don’t make our job harder!”

(Image: Getty)

Electronic medical records are an incredible boon to care.

When necessary, doctors can obtain important information like your allergies, medical history, and known conditions, which can make all the difference in an emergency.

By the same token, letting that information fall into the wrong hands could be a serious problem.

Regulations like HIPAA aim to promote a super-high standard of security for personal medical information, with massive fines for failure.

But a fine for security failure doesn’t necessarily create security success.

Doctors and medical organizations rely on software vendors for secure systems, and as we’ve seen, software can be buggy.

Worse, the medical organizations don’t have the knowledge to correctly use the secure systems and keep them disconnected from insecure systems.

Seth Fogie, Information Security Director for Penn Medicine, performed what he called an on-screen biopsy of healthcare security in the US for Black Hat attendees.

It wasn’t pretty.

Known Problems

Fogie introduced himself, noting that he presented at Black Hat 16 years ago on the topic of Pocket PC security abuse.

That seems dated today, but as he pointed out, Windows CE and other antiquated, insecure systems are still used in the healthcare industry.

System vulnerabilities are being exploited and used.

“Patient records are being exploited and sold,” explained Fogie.

“There is monetary value.”

In the security business, you often hear about zero-day vulnerabilities, security holes that are so new nobody has seen them before.

Fogie characterized the health industry’s problems as one-day vulnerabilities.

They’re known, but not fixed.

“H-ISAC (Health Information Sharing and Analysis Center) is aware, the vendors are aware, but there’s no guarantee of remediation,” said Fogie.

He noted that no vendor names will appear in his talk.

“My aim is to bring awareness to the public, guidance to the vendors, and insight for security folks.”

The Black Hat Clinic

Fogie cast his engaging presentation as a story about a visit by Alice and Bob to the Black Hat Clinic.

Security wonks will remember Alice and Bob from the original cryptographic paper in which Rivest, Shamir, and Adelman laid the groundwork for public key encryption.

Now they’re much older, and Bob needs attention at the clinic.

Drawing on his actual experience testing security, Fogie examined seven distinct types of medical systems that could be compromised, some with disastrous results.

The story begins with an unfamiliar face appearing on the TV in Bob’s room and making a vague threat.

How could that happen? Turns out it’s not a TV; it’s a Patient Entertainment System.

As such it can handle meal orders, accept screencasts from doctors, and more.

And it’s not secure.

Medical staff these days use clinical productivity software.

Doctors’ notes go into it, as do insurance coding data, patient instructions, and more.

Fogie found a backdoor that gave access to more than 100,000 patient records.

Drug dispensing and monitoring must surely be the most secure, right? Well, no.

Fogie found an easy way in.

“We could dump usernames and passwords,” he explained, “and gain access to the drug distribution system.

We could add ourselves as a user at any level.

What a headache! We could even steal some acetaminophen.”

Fogie noted that the vendor fixed this one right away, and that they didn’t really steal any headache pills.

The litany went on.

Fogie found flaws in the temperature-monitoring system that could let a malefactor take control, resulting in ineffective meds or even poisoning.

That Nurse Call system? It’s not just a buzzer, it’s a full-scale app, and it has a hardcoded backdoor password.

As for the imaging system, they got access easily by tweaking the code to only accept the wrong password.

Finally, Fogie and his team gained full access to the “Downtime Device” that provides local information to a clinic when its datacenter is unavailable.

“That’s 225,000 patient records compromised, with little effort,” concluded Fogie.

“That could be worth $2,250,000 or even $225,000,000.

If we extrapolate this out, well, I probably could have named this a trillion-dollar issue.”

Watch the Red Flags

You might think finding security holes in medical devices and apps would take months of painstaking work, but it isn’t so.

Fogie and his team spend two to four hours looking for specific security red flags, and all too often they find them.

Among the things they look for are hard-coded backdoor passwords, which all too often contain the word “backdoor.” Seriously! Authentication that just takes place on the local device is another problem, because it’s easily hacked.

With simple tools, a testing team can view source code for apps and even modify them in place.

Fogie encouraged health care security teams to use Penn Med’s red flag techniques.

“If you have an opportunity when you’re out there doing a pen-test, look at the applications,” he said.

“You may find something interesting.” He concluded with a plea to healthcare application vendors.

“We’re talking about patient care here,” he said, “so this is a patient data privacy and security issue.

Don’t make our job harder!”

PakaPuka

pakapuka.com Cookies

At pakapuka.com we use cookies (technical and profile cookies, both our own and third-party) to provide you with a better online experience and to send you personalized online commercial messages according to your preferences. If you select continue or access any content on our website without customizing your choices, you agree to the use of cookies.

For more information about our cookie policy and how to reject cookies

access here.

Preferences

Continue