In my previous column we started a conversation about the breach risks regarding personal health information (PHI), specifically as it pertains to the growing threat of attacks on medical devices and systems. We established that the healthcare industry has a wealth of challenges related to software security as many healthcare providers consider software security a low priority. We also highlighted how the smaller units in the information chain--doctors, diagnostic centers, and clinics--lack the knowledge and resources to address security properly.
We must consider the extra wrinkle in this health security story: the numerous medical devices that collect and store PHI. These devices often lack security controls because they were built before security became a consideration and certainly well before any healthcare-specific regulatory frameworks were established. The risk is expanding rapidly as these devices are increasingly connected to some type of a network (either the Internet, hospital networks, or other ad-hoc networks), making them vulnerable to attack and a target for attackers looking for paths to penetrate the network. Security is clearly not keeping up with these risks. The number of PHI-related data breaches doubled between 2012 and 2013.
In my September column, “Protecting Sensitive Data in a Sensitive Industry,” I discussed my work assessing various types of medical devices, and categorized my findings from these assessments into the following groups of issues:
* Cryptographic problems
* Operational issues with device lifecycle
* Communications security
* Authentication and authorization issues
* Software update issues
* Lack of obfuscation controls
* Physical and platform security issues
Having previously addressed cryptographic problems, this column will tackle operational issues associated with device lifecycles and communications security.
Like all machines, medical devices have a lifecycle that begins with their introduction into the working environment and ends with their retirement from service. Along the way, devices may move within a given facility, go home with one or more patients, get sent back to the device manufacturers in case of problems, or get reassigned. The lifecycle is complicated because in many instances, healthcare providers, including hospitals and clinics, provision these devices to patients and manage the ongoing medical device lifecycle. Often these providers lack the security knowledge and expertise required to manage device lifecycles. The chances are good no one considers the PHI embedded into these devices as they travel through the various points in their lifecycle. Consider the stories of sensitive data being exposed from computers purchased at a garage sale--the concept is exactly the same. A facility may upgrade its equipment and elect to sell current devices to other organizations.
Ultimately, all devices reach the end of their useful life and are subsequently disposed of. It is not outside of the realm of possibility to find medical devices on sites such as eBay with PHI still accessible. Devices also break, which means they are sent away for service, or engineers are allowed onsite for repairs. If sent away, there are no controls on the handling of the device, or who has access. Anyone called in to repair the device, whether onsite or remote, would require full access to the machine and therefore the data, opening the door for the malicious insider.
Security dictates strict control of the device lifecycle, but experience has shown this is not always the case. In my assessments, the most critical risks are evident at these three points in a device’s lifecycle:
1. When devices requiring repair/upgrade came back to a manufacturer, no clear procedures existed to anonymize or delete any personal data before handing over the device (or logs) to engineers for investigation. Such devices were serviced by engineers as-is, meaning the engineers had access to all device data. This is further complicated since I found that many providers continue to use Social Security numbers (SSN) as the patient IDs. This means a patient’s SSN is available on the device.
2. Devices ended up on sites such as eBay in part because the providers did not track them (or in some cases it was not possible to track these devices).
3. Clear procedures did not exist when it came to reassigning devices to other patients.
The Health Insurance Portability and Accountability Act (HIPAA) is very clear in requiring safe disposal of paper-based and electronic PHI. Policies and processes must be put in place to address the lifecycle milestones. These policies should address lifecycle events such as the device provisioning, its reassignment, handling of any device repairs, and, finally, retiring the device.
The next issue to address is communications security. Healthcare devices typically communicate using various protocols such as HTTP with external systems/Web services; DICOM (Digital Imaging and Communication in Medicine) protocol to hospital Picture Archival and Communications Server (PACS) systems; or custom telemetry protocols with local ad-hoc systems; and so on. The healthcare-specific protocols such as DICOM do support encryption, and yet there is abundant room for security gaps. DICOM is used by imaging modalities to communicate information to PACS systems. The first problem is the sin of omission--just because the protocol supports encryption as required by HIPAA regulations, does not mean everyone is in compliance. Although encryption is available, it does not work unless someone turns it on. Furthermore, talking about DICOM, every device connected to the PACS system will need to honor encryption. If an ultrasound device encrypts the image but other systems connected to the PACS system do not support encryption, then it simply won’t work. After all, the purpose of DICOM is to share information between medical devices.
In my assessments I have seen these issues and numerous others in regard to communication security specific to the healthcare industry. While DICOM may support encryption, not every (imaging) device that uses DICOM has the capability to execute encryption at the device level.
As devices continue to increase in function and capability, the storage of potentially sensitive data will increase proportionately. Without proper attention to the security challenges associated with the milestone in the lifecycle of each device, personal data will be put at risk of discovery and compromise. As these devices are increasingly connected to the network and to each other, the communication processes will also need to recognize and address areas of risk and vectors of attack.
In my next column I will discuss the remaining issues in healthcare device security.