A breach of personal health information (PHI) carries an emotional component quite unlike the breach of credit-card information. Credit cards can be cancelled and reissued, but personal health information can’t be voided after being compromised in a data breach. Attacks directed at financial services institutions and retailers like Target and Home Depot may gain more publicity, however the compromise of health information elicits a far deeper feeling of a violation of personal privacy. This emotional element has been heightened with news of hacks against medical devices such as insulin pumps and pacemakers.
There are rational reasons to be concerned. The Ponemon Institute 2013 Cybersecurity Salary Benchmarking Report showed that healthcare was at the bottom of compensation for information security staff. Most of the IT security dollars go toward demonstrating HIPAA compliance rather than actually securing personal health information. The May 2014 BitSight Technologies Insight Report found that healthcare had the lowest security rating of the sector covered in the study, including retail. Healthcare providers do not perceive security to be a strategic business issue, and the smaller units in the information chain--doctors, diagnostic centers, and clinics--have neither the knowledge nor the resources to begin to address data security.
The picture gets even bleaker when medical devices are considered. Assessments of the medical devices used in clinics and hospitals around the country reveal a variety of serious security issues. In many cases, devices were built before the risk of compromise was considered, so they have no security controls or the ability to be updated to address security concerns. In my work I have assessed various types of medical devices, including Class II medical devices (e.g., monitors for various implants), telemedicine devices used for remote health monitoring, and specialized devices for specific medical procedures.
My findings from the assessments can be categorized into the following groups of issues:
- Cryptographic problems
- Operational issues with device lifecycle
- Communications security
- Authentication and authorization issues
- Software update issues
- Lack of obfuscation controls
- Physical and platform security issues
In this column, I will be talking about the first issue, cryptographic problems. History has shown that cryptography might seem easy to use, but getting it right is always more difficult than it appears. HIPAA regulations govern the handling of health-related data on any device in the medical and pharmaceutical industries. However, there is no standard approach to the format and protection of patient IDs across providers. Some providers might utilize unique surrogate keys, while others might dangerously use Social Security Numbers (SSNs) as patient IDs. Best practices call for PHI data to be encrypted at rest and in transit. In reality, data is often left unprotected in one or more places during its lifecycle, making it vulnerable to discovery and exfiltration.
Drilling into the cryptographic problems, I have seen many instances in which weak or deprecated cryptographic protocols (DES or MD5) were used. I also found examples of cryptographic protocols applied incorrectly in regard to inadequate key lengths , in regards to creating static initialization vectors, or in regards to simply using an insecure mode of encryption such as the ECB mode.
To add to the above list of cryptographic issues, I also found a general lack of education about key management. For example, I found instances of keys being hard-coded directly into the application code itself. This is a particularly harmful practice because not only does it provide easy access to the key material for an attacker, but also it implies that secrets were never changed, and they remained the same across the development, quality assurance, and production environments. In some instances the keys or other device secrets were never changed, and there was no plan in place to change the keys if they were compromised.
The potential compromise of a medical device is concerning at many levels. Obviously there is a direct concern for patient health. Next is the exposure to the healthcare providers and device manufacturers if PHI is accessed and stolen. HIPAA fines have been on the rise, and the reputational risk of being at the ground zero of a breach is significant. Medical devices are increasingly being directly connected to the network, so the compromising of a device becomes a potential pivot point for an adversary to infiltrate central servers, which contain repositories of sensitive data (pertaining to many patients) and may be running critical hospital operations. There is a growing trend toward telemedicine and remote health monitoring that will add new avenues of compromise and further muddy the waters.
Healthcare companies will be under enormous pressure to address pending and emerging security issues that represent real risk to patients, providers, insurance providers and device manufacturers. Personal healthcare information is under systematic and unremitting attack, and the emotional component of PHI theft will continue to grab headlines. Beyond the personal impact, the risks extend from legitimate health concerns to compliance to operational interruption and loss of reputation.
In my next column I will discuss my findings on operational issues with device lifecycles, including problems with device turnover.