Categories

Tag: information security

Hacking the Hospital: Medical Devices Have Terrible Default Security

 Screen Shot 2014-04-29 at 10.28.40 AM

Scott Erven is head of information security for a healthcare provider called Essentia Health, and his Friday presentation at Chicago’s Thotcon, “Just What The Doctor Ordered?” is a terrifying tour through the disastrous state of medical device security.

Wired’s Kim Zetter summarizes Erven’s research, which ranges from the security of implanted insulin pumps and defibrillators to surgical robots and MRIs. Erven and his team discovered that hospitals are full of fundamentally insecure devices, and that these insecurities are not the result of obscure bugs buried deep in their codebase (as was the case with the disastrous Heartbleed vulnerability), but rather these are incredibly stupid, incredibly easy to discover mistakes, such as hardcoded easy default passwords.

For example: Surgical robots have their own internal firewall. If you run a vulnerability scanner against that firewall, it just crashes, and leaves the robot wide open.

The backups for image repositories for X-rays and other scanning equipment have no passwords. Drug-pumps can be reprogrammed over the Internet with ease. Defibrillators can be made to deliver shocks — or to withhold them when needed.

Doctors’ instructions to administer therapies can be intercepted and replayed, adding them to other patients’ records.

You can turn off the blood fridge, crash life-support equipment and reset it to factory defaults. The devices themselves are all available on the whole hospital network, so once you compromise an employee’s laptop with a trojan, you can roam free.

You can change CT scanner parameters and cause them to over-irradiate patients.Continue reading…

Why Healthcare Should Be Worried About the Target Cyber Attacks

If you are a CEO or COO of a health care organization, and your IT people have been trying to get your attention, it’s time to have a serious sit-down with them.

If they haven’t been trying to get your attention, it’s time to have an more serious sit-down with them, complete with charts and graphs and arrows on fip charts.

Here’s why: Remember in November it was revealed that the Target retail chain’s computer systems were compromised? Some 70 million names, home addresses and phone numbers were stolen (pretty good raw material for identity theft) and 40 million credit card numbers.

It has turned out since then that some two dozen other companies, including Neiman-Marcus, the Michael’s arts-and-crafts chain and the White Lodging Services hotel management firm, have been hacked in similar ways, with the attackers software sitting in the companies’ servers, credit card machines and cash registers often for months before they were detected, sucking down every transaction, every bit of data moved about.

Hey wait, you say, I have every confidence in our computer security. Why we passed a security audit just recently.

Heh. So did Target — just before they discovered the break-in. They got a clean bill of health, and the auditors failed to find the malware installed on every server, every credit card terminal, every cash register.

Why? Because the attackers have gotten way more sophisticated, and they used new techniques and methods of entry. You can now buy ready-made hacking software designed to do this on the Internet for less than $1000.

Here’s the kicker: Target has security guards at the doors, it has those beeper tags on small high-value items so you can’t sneak them out without paying for them, it has burglar alarms — but the perps in the biggest heist in the company’s history entered through the thermostat.

Got that? The thermostat.

Continue reading…

Decentralizing the Analysis of Health Data

The transition from paper to digital health care records promises a significantly enhanced ability to leverage claims and clinical data for secondary uses – uses beyond that for which the health data was originally collected, such as research, public health surveillance, or fraud prevention. Done properly, these secondary uses of data that were originally collected for treatment or payment can aid the creation of a more effective, information-driven health care system. For example, researchers are using digital claims data to provide the public with comparisons of the quality and cost effectiveness of treatment for particular conditions among plans or health care facilities in a given market.

Patient privacy and data security are among the first considerations of agencies establishing such programs, and many agencies have instituted strong technical controls (such as de-identifying the data) and policy frameworks to protect the confidentiality and integrity of the data. Although a strong policy framework is essential, the technical architecture of information exchange is another important factor. This week, the Center for Democracy & Technology (CDT) released a report challenging the prevailing centralized model of health data analysis and urging Dept. of Health and Human Services (HHS) to explore distributed systems for secondary use programs. The paper comes at the same time that the Centers for Medicare and Medicaid (CMS) issued a final rule for its risk adjustment program – mandated by the Affordable Care Act of 2010 – that would use a distributed system as a default, changing course from the proposed rule, which would have required a centralized model.

Continue reading…

Registration

Forgotten Password?