Viruses, bugs and hackers can thrive in health care settings, according to cybersecurity experts who have analyzed hospital IT security.

Doctors want to keep the operating room sterile to protect you from germs. But what are hospitals doing to protect you from cyber infection? A check-up on the health care industry shows poor marks for cyber hygiene, experts say.

“As a tester who has worked in many industries, health care is the absolute worst in terms of security,” said Avi Rubin with  the Information Security Institute at Johns Hopkins University, according to The Register.

Rubin spoke about the deficiencies in the medical industry at the Enigma conference in San Francisco this week.

“You’ve got doctors with god complexes, regulators who sometimes do and sometimes don’t understand the impact of their decisions, patients who want access to their medical data in real time on their mobile device (and make sure nobody else can see it), and entrepreneurs churning out new devices, systems and protocols at warp speed,” he wrote online. 

He described nightmarish security practices, reported The Register, including a medical center that permitted thousands of staff members at all levels to access all records at the hospital, and another facility that let a medic use the same laptop for both downloading his kids’ games—a potentially risky activity—and logging onto hospital servers.

In addition, the article said, Rubin discovered a computer that produced DVDs of patient X-rays that could allow a hacker to insert malware into the DVDs and spread the bug throughout the hospital, and even into patient homes.

“He found a litany of basic errors putting patients’ data, and in some cases actual lives, at risk,” reported The Register.

Another presenter at the conference, Kevin Fu, outlined problems with a pacemaker that a bad guy could get into and change the beat, and a medical device company that actually sent out 38 different cyber bugs with its device update, which then spread to hospitals.

Not your problem?

The problem affects you, even if you are lucky enough to stay out of the hospital.

The number of people whose information was accessed in health care data breaches in 2015 is staggering. Ten million people in the Excellus Health Care breach. Eleven million in the Premera Blue Cross Breach. Almost 79 million in the Anthem breach. Those were just a few of these kinds of breaches last year. And experts predict more health care hacks to come.

“It was like a plague, to use a medical term,” said Patrick C. Miller with Archer Security Group. “One after another got popped. Millions and millions of records, like dominoes.”

“You’d think that after one or two of them got hit that somebody would have thought, ‘Hey, we’re a health care database. What are we doing to prevent this from happening to us?’” he said. “But nobody decided to fix the problems, knowing there’s basically a tsunami headed their way.”

New reports 

Just today, new reports came out about missing health care data for almost a million people.

Health insurance company Centene announced that six hard drives were unaccounted for after doing an inventory, and that 950,000 people were affected.

“Centene has determined the hard drives contained the personal health information of certain individuals who received laboratory services from 2009-2015 including name, address, date of birth, social security number, member ID number and health information,” the company said in a statement.

Take two apps & call me in the morning

You can download more and more health care apps onto your phone or tablet. But a recent report shows many health care apps are not secure.

Arxan Technologies tested 71 mobile health care apps in the U.S., U.K., Germany and Japan, including some apps approved by the Food and Drug Administration. But the report said that 86% of those apps were vulnerable to security risks, specifically, some of the top ten mobile security risks as laid out by the Open Web Application Security Project.

“Health care organizations are among the top targets of cybercriminals in search of valuable patient data and intellectual property,” said Patrick Kehoe of Arxan. “However, the stark reality is that mobile application security is still lagging.”

On top of that, he said most people the company surveyed believe their apps are adequately secure and that app developers are doing everything they can to protect them.

Medical devices

Dick Cheney may have been ahead of his time when he had the wireless capability of his defibrillator—implanted in 2007—disabled.

Researchers have now shown that pacemakers, defibrillators, insulin pumps and other infusion pumps that deliver drugs into your system are hackable.

In May, the FDA issued a warning about the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems, saying, “An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.”

In July, the FDA took an even stronger step, recommending doctors and patients stop using the Hospira Symbiq Infusion System because of cybersecurity vulnerabilities that would allow an attacker to change the dosage.

The FDA issued draft guidelines for cybersecurity in medical devices this month. The agency asked makers to keep medical devices updated and secure throughout the life of the device, so patients aren’t left with security holes in the very devices that keep them alive.

“The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits,” the guidelines said. “Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health.”

What is going wrong?

The traditional hospital security guard—in uniform, posted at the door—won’t be able to stop these kinds of attacks.

“Security at hospitals has been concentrated on protecting staff and patients from physical attacks, protecting drugs from theft, and protecting the privacy of physical medical records,” said Patrick Coyle with Chemical Facility Security News.

“This is actually a pretty standard security model for most industries—focus on those things that have been a problem in the past,” he added. 

Looking toward the present and future may seem overwhelming, he said.

“The problem that hospitals—and many other organizations—are having in responding to cybersecurity threats is that there are so many things wrong with computer systems in the hospital—which were never designed with security in mind—that trying to fix them all looks like an insurmountable problem,” Coyle explained.

Design flaws

The health care data breaches appeared to start with social engineering of a human, not hacking a computer, said Jim Feely with Archer Security Group.

“This is happening in health care, in the attacks in the power industry in the Ukraine, and elsewhere. You name it, if it’s a modern data breach, it probably involved a human failure at the beginning,” he said.

“The attack vectors aren’t a mystery,” he added. “They come from Internet e-mail, Internet websites, telephone calls, and thumb drives.”

Feely said training people to use better computer hygiene, to stop clicking on unexpected e-mail attachments, can help, but the system needs more. He recommended that organizations do a better job of designing their systems to account for human error.

“In the Anthem health care breach, a privileged user’s credentials were stolen over the Internet and used to access personally identifiable information of 80 million customers,” he said. “Why would the admin ever use credentials for a critical system while on the internet?”

“Why would a complete and critical data set ever be allowed to be accessed over the Internet?” he asked. “Why would someone be allowed to give away their credentials to any critical system? Why would anyone—physically or electronically—be allowed to connect removable media [thumb drives, etc.] to systems that are connected to critical systems? These are all system design flaws.”

Better ‘hygiene’

These social engineering problems can be limited with the right information system architecture, Feely said.

He recommended segregating critical systems and the control of the critical systems from the Internet, implementing two-factor authentication, and physically and administratively preventing the use of removable media.

“The solutions are inconvienient and they cost time and money, but we could start the transition to more secure architectures in 2016,” he said. “All we need is the will and the belief that protecting what we call ‘critical’ is worth the cost.”

Connections

Cybersecurity, in many cases, is about connections—connections between humans and the computers we use, and connections between “safe” computer areas and “unsafe” computer areas.

That is why experts advise ‘segmentation’ and ‘segregation’ for computer networks, to keep easily-infected things away from the critical stuff—just like an operating room at a hospital.

“Network segmentation can be complex and expensive, but is absolutely worth it for high assurance environments—like life and death situations,” said Miller. “It should be done and it will take risks down significantly.”

He gives his ‘starter checklist’ for securing medical devices, what he calls the ‘low bar’:

1. Basic HMI [human machine interface] hygiene: strong passwords/authentication, least-privilege for accounts, patching, antivirus, intrusion detection, integrity monitoring or whitelisting (where possible).
2. Strong network segmentation, with secure enclaves for OT [operational technology] where network traffic only flows out of the secure network to DMZ [demilitarized zone, a segregated area] for data transfer. Then monitor the secure enclave networks very closely for anything out of the ordinary.
3. Strong physical protection so that no USB, serial or other hardware ports can be accessed without special tools/keys.

App hygiene

For those popular health care apps, Arxan wants the government to require some sort of rating system or ‘seal of approval,’ so consumers will know more about the risks of each app.

Until that happens—if that happens—you are on your own.

Arxan offers this advice:

• Only download apps from authorized app stores.
• Don’t jailbreak or root your phone or tablet.
• Demand more transparency about the the security of the apps you are using.

“For example, many foods you purchase are required to be labeled with nutrition information to help you make better-informed decisions,” said Kehoe of Arxan. “Before you download a mobile app, wouldn’t you want to know what risks you may be opening yourself up to? Become an advocate for app security certification and risk transparency.”

Progress

The situation is getting better, according to the presenter, Fu, as reported in The Register.

“I’m now seeing device manufacturers designing in security at the whiteboard stage,” he said in the article. “It took the medical profession over 100 years to accept that hand-washing by staff reduced deaths, but front-end devices in hospitals should be much better in a few years.”