|
|
October 16, 2006
Forget hackers. Today’s threats come from attackers, individuals or groups that aim to do serious damage to a healthcare facility’s IT systems, including software applications. Better HIT is essential to the vision of a healthcare system that puts the patients’ needs and values first and gives patients and medical professionals the information they need to make clinical and economic decisions. Indeed, there has been a dramatic increase in the adoption and reliance on e-health systems, including electronic medical records (EMRs), picture archiving and communication systems (PACS), portals, and medical devices. E-health systems are now considered the foundation for overhauling the current healthcare system, managing costs, and increasing quality. Since President Bush’s January 20, 2004, State of the Union Address, in which he highlighted the potential of computerized health records for avoiding dangerous medical mistakes, reducing costs, and improving care, e-health systems have become a major focal point for a range of stakeholders. Governments and healthcare organizations will invest billions of dollars in e-health systems in the months and years ahead. Today, there are literally hundreds of vendors of e-health systems encompassing electronic health records (EHRs), PACS, hospital information systems (HIS), and medical devices. And, while there is no doubt that each of these vendors is committed to delivering secure solutions, given the industry is investing heavily in e-health systems, it is critical that every effort be made to better ensure the integrity, confidentiality, and availability of these applications and data. The New Threat But that was when hackers and their motives were less dangerous. Recently, security intelligence experts have detected “the tell-tale signs of organized crime gangs and government espionage in attacks and a hacker community much more motivated by financial gain than personal or political fulfillment.”1 Hackers have now become attackers who target particular organizations, groups, or users. Motivated by money, revenge, and perhaps terror, they take control of computing devices to steal identities or confidential data that can then be sold, used for illegal purposes such as sending spam, and potentially disrupt operations and service delivery. And while some attackers may be faceless strangers on the other side of the world, others lurk in your midst. There is a significant risk from insiders—employees, contractors, and consultants—who easily bypass perimeter security and other traditional IT security solutions. Just a few years ago, healthcare facilities were rarely the objects of attacks, but now, they’ve become prime targets. Hospitals, clinics, and medical group practices all contain large amounts of valuable data—not just confidential patient information but also financial and personal information about employees, insurance companies, suppliers, and partners—making them appealing to attackers interested in financial gain. In 2005 alone, Privacy Rights Clearinghouse identified more than 10 healthcare organizations, including the University of Florida Health Sciences Center, Duke University Medical Center, and the University of Chicago Hospital, that had significant security breaches. Now that most healthcare organizations have strong perimeter defenses, including network firewalls, user authentication, configuration management, and data encryption, attackers have set their sights on the next most vulnerable part of the system: software applications. Applications — The Heart
of Your Healthcare Facility • EHRs/EMRs; • patient health records; • HIS; • PACS; • diagnostic systems; • monitoring systems; • physician and patient portals; • clinical and health information systems; • e-prescribing applications; and • finance, payroll, and human resource applications. Without these systems, healthcare facilities cannot reliably provide the high-quality services they and their patients have come to expect. And while no one questions the benefits these applications provide in terms of quality of care, improved communications, operational efficiency, and savings, it is important to recognize the risks they introduce. These software applications come with thousands of vulnerabilities that can be exploited by an attacker. The potential consequences of a vulnerability being exploited include an attacker: • taking full control of a system; • installing programs; • viewing, deleting, or changing patient or medical data; • creating new accounts with full user privileges; • denying service (ie, x-ray, MRI, etc); and • crashing systems. Why Are Applications Vulnerable? Last year alone, 1,500 major software vulnerabilities were disclosed (SANS, 2005) and more than 10,800 new virus and worm variants were identified for the Win32 platform in the first half of 2005 alone.3 The other reason applications are vulnerable is that they are increasingly based on Internet protocols; that is, they are designed to be remotely accessed by system administrators, medical professionals, healthcare partners, and patients via the Web. While Web-based applications offer convenience, efficiency, better service, and savings, they also fundamentally increase the risk to applications, systems, and sensitive data. The Consequences of an
Attack Quality of care: If an attacker changes patient information or disrupts hospital services, quality of care can be jeopardized. At Seattle’s Northwest Hospital & Medical Center, for example, a 20-year-old attacker in California used a computer “bot” that caused computer malfunctions. As a result, doors to the operating room did not open, pagers didn’t work, and computers in the intensive care unit shut down.4 Financial loss: When an organization’s security is compromised and publicized, the financial impact can also be significant. Security breaches not only reduce revenues because of service disruptions, but they also increase costs. Systems now have to be fixed, plus there are often penalties, fines, and media relations costs when it comes to announcing security breaches. It is estimated that organizations can expect a breach to cost them $90 per user for investigation fees, communications, clean up and recovery, customer services, fines, lawsuits, and increased security audits. This figure does not account for the damage to the corporate brand and potential market capitalization impacts.5 Customers and patients care a lot about the confidentiality of their data. “In a national survey of more than 1,000 victims of personal data security breaches, nearly 20% said they had already terminated their relationships with companies that maintained their data, while another 40% said they might do so. And nearly 5% of those surveyed said they had hired lawyers to seek legal recourse after their data was put at risk.”6 Compliance and notification: Compliance-related issues are perhaps the biggest headache related to a security breach. In addition to HIPAA, which is now reasonably well-understood by most affected organizations, numerous new breach notification laws cause severe discomfort. They require healthcare organizations to inform patients if their data has been compromised or exposed by an attack. There is a patchwork of breach notification laws, which are either already in place or proposed, in more than 40 states. Many of these state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom, and when. California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas, and Florida, require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others don’t. To make things more complicated, breach notification is extra-territorial. This means a healthcare provider who treats an out-of-state resident must adhere to the breach notification laws of the patient’s home state if their data is compromised. Three recent examples highlight the scope and critical nature of this issue and its potential to impede the adoption and benefits derived by e-health: • “The FBI is investigating unauthorized changes made to a MySQL database that underlies an electronic medical record system at an Indiana-based orthopedics clinic. Orthopaedics NorthEast (ONE) noticed significant performance slowdowns in January. The changes were apparently made by an intruder who gained initial access to the system through a back door in WebChart software from Medical Informatics Engineering. On one occasion, the intruder appended characters to a database query, causing it to crash. On another occasion, the intruder deleted a print-server directory. Analysis demonstrated that the intruder accessed the WebChart system through a proxy server at a hospital; ONE is connected to the hospital via a virtual private network.”7 • “On an average day, Cleveland Clinic Health System blocks about 40,000 attacks that attempt to exploit a weakness in an unpatched PC or try to run an unauthorized query on a PC.”8 • “Georgetown University Hospital in Washington, D.C., [recently] suspended an electronic prescription pilot program after learning of a data security breach affecting between 5,600 and 23,000 patients.”9 Current Security Approaches
Are Not Adequate And while patching software vulnerabilities remains a key security priority, it’s a race that can’t be won. Beyond perimeter defenses, many healthcare organizations rely on patches—fixes provided by software vendors that address specific vulnerabilities. However, the time between the publication of a vulnerability and the malicious code that exploits it has narrowed sharply—from months and weeks down to days. In some cases, attacks occur before the vulnerability is even discovered or announced (so-called zero-day attacks). Meanwhile, the time to create patches and distribute them remains relatively fixed and dangerously long because they need to be tested, installed, and scheduled to minimize disruption. Because deploying patches can affect manufacturer warranties, many medical devices are left unpatched for long periods of time. Reducing Risk In addition to arming themselves with relevant and timely threat information, educating staff about security, and imposing security requirements with healthcare partners, there are several other steps healthcare organizations can take to determine their vulnerability and prevent attackers from exploiting applications. Step 1: Perform an Application Vulnerability
Assessment Healthcare organizations can prioritize these vulnerabilities for further action and decide whether they are prepared to accept the potential medical, business, and legal risks. Step 2: Demand Better Accountability From Your
Application Software Vendors Step 3: Implement a Defense-in-Depth Strategy The potential risk of failure and regulatory penalties requires that security managers not just arm themselves against a minimum standard of documented threats but also anticipate the unknown—in effect to “prove a negative” and show they are not insecure. Intrusion prevention systems are an integral part of a comprehensive defense-in-depth strategy. While the complexity of e-health systems, software, and applications will continue to present a daunting security challenge for many, following these security guidelines will help healthcare providers significantly reduce the risk and associated consequences of an attack, enabling hospitals and medical centers to deliver on the promise of lower costs and higher quality care. — Blake Sutherland, PEng, CISSP, is vice president of product management at Third Brigade.
2. Jones C. Software Assessments, Benchmarks, and Best Practices. New York: Addison-Wesley Professional, 2000. 3. Secure Computing, March 2006. 4. Computerworld, February 13, 2006. 5. Liton A. “Online Fraud Solved.” Gartner Session, IT Security Summit. July 2006. 6. Computerworld, September 28, 2005. 7. Computerworld, February 10, 2006. 8. “Locking Intruders Out! Securing Healthcare Data,” presented at HIMSS 2006. 9. Wired News, July 25, 2006.
|
 |