Home

Cover Story

Table of Contents

E-Newsletter

Article Archive

Editorial Calendar

Datebook

Writers' Guidelines

Orgs/Links

Opinion Polls

Reprints

Forum

December 4, 2006

Enemy at the Gates! Your Computer Systems Are Under Attack
By Blake Sutherland, PEng, CISSP
Radiology Today
Vol. 7 No. 24 P. 12

Forget hackers. Today’s threats come from attackers: individuals or groups that aim to do serious damage to a healthcare facility’s IT systems, including software applications.

Better healthcare information technology (HIT) is essential to the vision of a healthcare system that puts the patients’ needs and values first and gives patients and medical professionals the information they need to make clinical and economic decisions. There has been a dramatic increase in the adoption and reliance on e-health systems, including PACS, electronic medical records (EMRs), and medical devices. E-health systems are now considered the foundation for overhauling the current healthcare system, managing costs, and increasing quality.

Since President Bush’s January 20, 2004, State of the Union Address, in which he highlighted the potential of computerized health records for avoiding dangerous medical mistakes, reducing costs, and improving care, e-health systems have become a focal point for a range of stakeholders.

Governments and healthcare organizations will invest billions of dollars in such systems in the months and years ahead. Today, there are literally hundreds of vendors encompassing electronic health records (EHRs), PACS, RIS, hospital information systems (HIS), and medical devices. And, while vendors are committed to delivering secure solutions, it is critical that every effort be made to better ensure the integrity, confidentiality, and availability of these applications and data.

The New Threat
Until recently, attention-seeking hackers were the main IT security threat to businesses, including healthcare organizations. They would write code, unleash it into cyberspace, and hope for their 15 minutes of fame. These types of mass attacks often had no particular target in mind; they would simply seek out vulnerabilities in a system—typically in operating systems and networks—and exploit them.

But that was when hackers and their motives were less dangerous. Recently, security intelligence experts have detected “the tell-tale signs of organized crime gangs and government espionage in attacks and a hacker community much more motivated by financial gain than personal or political fulfillment.”1

Hackers have now become attackers who target particular organizations, groups, or users. Motivated by money, revenge, and perhaps terror, they take control of computing devices to steal identities or confidential data that can then be sold, used for illegal purposes such as sending spam, and potentially disrupt operations and service delivery. And while some attackers may be faceless strangers on the other side of the world, others lurk in your midst. There is a significant risk from insiders—employees, contractors, and consultants—who easily bypass perimeter security and other traditional IT security solutions.

Just a few years ago, healthcare facilities were rarely the objects of attacks, but now, they’ve become prime targets. Hospitals, clinics, and medical group practices all contain large amounts of valuable data—not just confidential patient information but also financial and personal information about employees, insurance companies, suppliers, and partners—making them appealing to attackers interested in financial gain. In 2005 alone, Privacy Rights Clearinghouse identified more than 10 healthcare organizations, including the University of Florida Health Sciences Center, Duke University Medical Center, and the University of Chicago Hospital, that had significant security breaches.

Now that most healthcare organizations have strong perimeter defenses, including network firewalls, user authentication, configuration management, and data encryption, attackers have set their sights on the next most vulnerable part of the system: software applications.

Applications — The Heart of Your Healthcare Facility
Healthcare organizations increasingly rely on computerized e-health systems and software applications. Large hospitals often have tens of thousands of e-health systems, ranging from diagnostic systems such as x-ray and MRI machines to portable bedside monitors, wireless/telemetry monitors, clinical systems, wireless PCs, and enterprise servers. Each system contains custom software applications, which in turn rely on common commercial off-the-shelf (COTS) operating systems and applications. It is not uncommon for a facility to run hundreds of applications, including the following:

• EHRs/EMRs;

• patient health records;

• HIS;

• PACS;

• diagnostic systems;

• monitoring systems;

• physician and patient portals;

• clinical and health information systems;

• e-prescribing applications; and

• finance, payroll, and human resource applications.

Without these systems, healthcare facilities cannot reliably provide the high-quality services they and their patients have come to expect. And while no one questions the benefits these applications provide in terms of quality of care, improved communications, operational efficiency, and savings, it is important to recognize the risks they introduce.

These software applications come with thousands of vulnerabilities that can be exploited by an attacker. The potential consequences of a vulnerability being exploited include an attacker:

• taking full control of a system;

• installing programs;

• viewing, deleting, or changing patient or medical data;

• creating new accounts with full user privileges;

• denying service (ie, x-ray, MRI, etc); and

• crashing systems.

Why Are Applications Vulnerable?
For one, it’s all but impossible to write perfect code. Most software has between 1,000 and 1,500 security defects per million lines of code, and sophisticated software applications typically have millions of lines of code.2 EHRs/EMRs, for example, are complex systems that typically consist of an operating system, a database, a Web server, an application server, and the EHR/EMR application itself. All told, there can be a hundred million lines of code and as many as 150,000 defects that an attacker could attempt to exploit to gain access to the heart of a healthcare organization’s systems. Not all these will be critical vulnerabilities, but the numbers can be staggering.

Last year alone, 1,500 major software vulnerabilities were disclosed (SANS, 2005) and more than 10,800 new virus and worm variants were identified for the Win32 platform in the first half of 2005 alone.3

The other reason applications are vulnerable is that they are increasingly based on Internet protocols; that is, they are designed to be remotely accessed by system administrators, medical professionals, healthcare partners, and patients via the Web. While Web-based applications offer convenience, efficiency, better service, and savings, they also fundamentally increase the risk to applications, systems, and sensitive data.

Attack Consequences
An attacker who successfully exploits an application vulnerability could quickly and significantly affect a healthcare facility in various ways, including disrupting services, stealing data and identities, and taking control of host computers and using them for illicit purposes. The fallout from these attacks can be devastating.

Quality of care: If an attacker changes patient information or disrupts hospital services, quality of care can be jeopardized. At Seattle’s Northwest Hospital & Medical Center, for example, a 20-year-old attacker in California used a computer “bot” that caused computer malfunctions. As a result, doors to the operating room did not open, pagers didn’t work, and computers in the intensive care unit shut down.4

Financial loss: When an organization’s security is compromised and publicized, the financial impact can also be significant. Security breaches not only reduce revenues because of service disruptions, but they also increase costs. Systems now have to be fixed, plus there are often penalties, fines, and media relations costs when it comes to announcing security breaches.

It is estimated that organizations can expect a breach to cost them $90 per user for investigation fees, communications, cleanup and recovery, customer services, fines, lawsuits, and increased security audits. This figure does not account for the damage to the corporate brand and potential market capitalization impacts.5

Customers and patients care a lot about the confidentiality of their data. “In a national survey of more than 1,000 victims of personal data security breaches, nearly 20% said they had already terminated their relationships with companies that maintained their data, while another 40% said they might do so. And nearly 5% of those surveyed said they had hired lawyers to seek legal recourse after their data was put at risk.”6

Compliance and notification: Compliance-related issues are perhaps the biggest headache related to a security breach. In addition to HIPAA, which is now reasonably well-understood by most affected organizations, numerous new breach notification laws cause severe discomfort. They require healthcare organizations to inform patients if their data has been compromised or exposed by an attack. There is a patchwork of breach notification laws, which are either already in place or proposed, in more than 40 states.

Many of these state laws specify different triggers for notifications and set varying requirements on what must be disclosed, to whom, and when. California, for instance, uses an “acquisition standard” that requires companies to notify consumers each time their data has been acquired by an unauthorized person. Other states, including Delaware, Arkansas, and Florida, require companies to notify consumers of breaches only if the companies believe there’s a reasonable risk of harm. Some states exempt companies that encrypt their data from disclosures; others don’t. To make things more complicated, breach notification is extra-territorial. This means a healthcare provider who treats an out-of-state resident must adhere to the breach notification laws of the patient’s home state if their data is compromised.

Three recent examples highlight the scope and critical nature of this issue:

1. “The FBI is investigating unauthorized changes made to a MySQL database that underlies an electronic medical record system at an Indiana-based orthopedics clinic. Orthopaedics NorthEast (ONE) noticed significant performance slowdowns in January. The changes were apparently made by an intruder who gained initial access to the system through a back door in WebChart software from Medical Informatics Engineering.

On one occasion, the intruder appended characters to a database query, causing it to crash.

On another occasion, the intruder deleted a print-server directory. Analysis demonstrated that the intruder accessed the WebChart system through a proxy server at a hospital; ONE is connected to the hospital via a virtual private network.”7

2. “On an average day, Cleveland Clinic Health System blocks about 40,000 attacks that attempt to exploit a weakness in an unpatched PC or try to run an unauthorized query on a PC.”8

3. “Georgetown University Hospital in Washington, D.C., [recently] suspended an electronic prescription pilot program after learning of a data security breach affecting between 5,600 and 23,000 patients.”9

Inadequate Security
Although healthcare organizations have done much to strengthen their security with numerous perimeter defenses, many of these measures do not provide adequate protection because application vulnerabilities allow them to be readily bypassed. Attackers have set their sights on applications (or vulnerabilities within the applications) and have proven time and time again that they are an effective way of compromising a system.
And while patching software vulnerabilities remains a key security priority, it’s a race that can’t be won. Beyond perimeter defenses, many healthcare organizations rely on patches—fixes provided by software vendors that address specific vulnerabilities. However, the time between the publication of a vulnerability and the malicious code that exploits it has narrowed sharply—from months and weeks down to days. In some cases, attacks occur before the vulnerability is even discovered or announced (so-called zero-day attacks).

Meanwhile, the time to create patches and distribute them remains relatively fixed and dangerously long because they need to be tested, installed, and scheduled to minimize disruption. Because deploying patches can affect manufacturer warranties, many medical devices are left unpatched for long periods of time.

Reducing Risk
It is impossible to remove every possible security risk to any business, so it’s important to determine what risk level you are willing to assume and then cost-effectively implement security processes and technology that reduce the risk to an acceptable level.

In addition to arming themselves with relevant and timely threat information, educating staff about security, and imposing security requirements with healthcare partners, organizations can take several other steps healthcare to determine their vulnerability and prevent attackers from exploiting applications.

Step 1: Perform an Application Vulnerability Assessment
An application vulnerability assessment helps determine system vulnerabilities. An application assessment, which can take as little as a day to perform, uses special software to systematically test for thousands of known vulnerabilities. It then categorizes the vulnerabilities by degree of severity.
Healthcare organizations can prioritize these vulnerabilities for further action and decide whether they are prepared to accept the potential medical, business, and legal risks.

Step 2: Demand Better Accountability From Your Application Software Vendors
Ask software and system vendors to disclose application vulnerability information. Not only does it provide the information to better protect facilities, it also shows the vendor they’re aware of potential flaws in their software. The more healthcare organizations demand accountability from vendors, the more care vendors will take to reduce vulnerabilities in their products. Healthcare organizations should consider participating in vulnerability reporting programs—such as the eHealth Vulnerability Reporting Program (www.ehvrp.org)—that strive to ensure greater security of e-health systems.

Step 3: Implement a Defense-in-Depth Strategy
Defense-in-depth assumes that no single component, policy, or process can ensure security. The modern computing environment is too complex and diverse. Attackers have access to the same vulnerability bulletins as everyone else—and a growing range of automated tools with which to exploit them.

The potential risk of failure and regulatory penalties requires that security managers not just arm themselves against a minimum standard of documented threats but also anticipate the unknown—in effect to “prove a negative” and show they are not insecure. Intrusion prevention systems are an integral part of a comprehensive defense-in-depth strategy.

While the complexity of e-health systems, software, and applications will continue to present a daunting security challenge for many, following these security guidelines will help healthcare providers significantly reduce the risk and associated consequences of an attack, enabling hospitals and medical centers to deliver on the promise of lower cost and higher quality care.

— Blake Sutherland, PEng, CISSP, is vice president of product management at Third Brigade, which develops computer security software.

References
1. Forrester Research. Increasing Organized Crime Involvement Means More Targeted Attacks, August 2, 2005.

2. Jones C. Software Assessments, Benchmarks, and Best Practices. New York: Addison-Wesley Professional, 2000.

3. Secure Computing, March 2006.

4. Computerworld, February 13, 2006.

5. Liton A. “Online Fraud Solved.” Gartner Session, IT Security Summit. July 2006.

6. Computerworld, September 28, 2005.

7. Computerworld, February 10, 2006.

8. “Locking Intruders Out! Securing Healthcare Data,” presented at HIMSS 2006.

9. Wired News, July 25, 2006.