‘Gaping Holes’ Expose Health System Security

Computer scientist Avi Rubin says health care "is an industry with the least regard . . . and respect for IT security of any I've seen, and they have some of the most personal and sensitive information of anyone." Illustrates CYBERSECURITY-MEDICINE (category a), by Robert O'Harrow Jr. (c) 2012, The Washington Post. Moved Wednesday, Dec. 26, 2012. (MUST CREDIT: Photo for The Washington Post by Matt McClain.)

Computer scientist Avi Rubin says health care "is an industry with the least regard . . . and respect for IT security of any I've seen, and they have some of the most personal and sensitive information of anyone." Illustrates CYBERSECURITY-MEDICINE (category a), by Robert O'Harrow Jr. (c) 2012, The Washington Post. Moved Wednesday, Dec. 26, 2012. (MUST CREDIT: Photo for The Washington Post by Matt McClain.)

As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.

Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.

A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.

“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”

Compared with financial, corporate and military networks, relatively few hacks have been directed at hospitals and other medical facilities. But in recent months, officials with the Department of Homeland Security have expressed growing fear that health care presents an inviting target to activist hackers, cyberwarriors, criminals and terrorists.

“These vulnerabilities may result in possible risks to patient safety and theft or loss of medical information,” a DHS intelligence bulletin said in May.

Security researchers are starting to turn up the same kinds of trivial-seeming flaws that earlier opened the way for hackers to penetrate financial services networks, Pentagon systems and computers at firms such as Google.

Rubin has documented the routine failure to fix known software flaws in aging technology and a culture in which physicians, nurses and other health care workers sidestep basic security measures, such as passwords, in favor of convenience.

Another researcher found that a system used to operate an electronic medicine cabinet for hospital prescriptions in Oklahoma could be easily taken over by unauthorized users because of weaknesses in the software interface.

OpenEMR, an open-source electronic medical records management system that is about to be adopted worldwide by the Peace Corps, has scores of security flaws that make it easy prey for hackers.

The University of Chicago medical center operated an unsecure Dropbox site for new residents managing patient care through their iPads, using a single user name and password published in a manual online.

After a Post reporter called about the vulnerabilities, officials at the cabinet manufacturer and the medical center took steps to close the gaps. The Peace Corps said it was considering changes.

Government oversight and industry practices have not kept pace with the changing technology. The Food and Drug Administration, which is responsible for overseeing medical devices, most recently published guidance on cybersecurity in 2005.

The agency has urged hospitals to allow vendors to guide them on security of sophisticated devices. But the vendors sometimes tell hospitals that they cannot update FDA-approved systems, leaving those systems open to potential attacks. In fact, the agency encourages such updates.

“A lot of people are very confused about FDA’s position on this,” said John Murray Jr., a software compliance expert at the agency.

A Government Accountability Office report in August noted that defibrillators and insulin pumps are vulnerable to hacks. In July, one researcher-hacker was able for the first time to use a specialized search engine called Shodan to discover a medical device, a wireless patient glucose monitor in Wisconsin, linked to the Internet and open to hacking.

The Department of Health and Human Services is overseeing the move to electronic health records systems, some of which have documented security vulnerabilities.

John Halamka, a physician and Harvard University professor who is co-chairman of the HHS health information technology standards committee, said security in the health-care industry is “not as good” as in other industries. But he added that the industry is aware of the problems and is scrambling to make improvements.

“It’s completely headed in the right direction,” he said.

But Laurie Williams, a computer scientist at North Carolina State University, said health care remains widely vulnerable.

“There are basic, basic, Security 101 vulnerabilities we identified,” said Williams, who was among a team of researchers that identified numerous security flaws in several electronic heath records systems two years ago. “I’m concerned that at some point the hackers are really going to begin exploiting them. And that’s going to be a scary day.”

Questions about the cybersecurity of medical systems have been simmering for more than a decade. But the issue has intensified as hospitals embrace wireless devices and electronic records. Some health-care officials assumed that their networks were too obscure, or offered too few financial enticements, to be of interest to hackers.

Information technology executive Peter Tippett, the chief medical officer for Verizon, said the threat from cyberspace should not be overstated. Simple theft of laptops and other devices make up the bulk of incidents.

“The fact is, there aren’t many attacks,” said Tippett, who oversees ICSA Labs, an independent division of Verizon that tests electronic health records systems and other security products for government certification. “The bad guys so far at least have been looking for money.”

Still, Tippett acknowledged that health care ranks near “the bottom of the list” of industries in terms of cybersecurity. “It’s about like retail,” he said.

In July, a consortium of hospitals, health plans, pharmacies, drug companies and government agencies called the Health Information Trust Alliance launched a cybersecurity incident response and coordination center to defend against “cyber crime, cyber espionage and cyber activism.”

No one knows exactly how many intrusions have occurred, but anecdotes are mounting. Medical devices at Veterans Affairs facilities were infected by malicious viruses at least 181 times from 2009 to 2011, according to the DHS intelligence report that surfaced in May.

On March 30, a hacker broke into a network server at the Utah Health Department, gained access to Medicaid data about 780,000 people and stole an undetermined number of records. Authorities traced attackers to computers in Eastern Europe. Utah officials acknowledged the breach and said they are taking extensive measures to protect patients against identity theft.

HHS officials said health care providers must combine cultural, practical and technological solutions to defend against theft and hacking. The officials also said that they have ramped up enforcement efforts against organizations that failed to protect patient information.

“While there is always more work to do, we have reached record settlements against companies who violated privacy laws and sent a message to everyone that privacy violations will not be tolerated,” said Leon Rodriguez, director of the HHS Office for Civil Rights.

Three years ago, Rubin, the Johns Hopkins researcher, began assessing systems at major hospitals and clinics, making visits to operating rooms and intensive-care units.

He found that doctors and medical workers used the same computers to connect to both the Internet and internal networks. Rubin said doctors become “a pipeline for attackers into the sensitive networks.”

One nurse told Rubin that she had the job of typing in a physician’s password constantly so that the doctor would not have to, leaving the unattended machine unprotected. “She literally walked around the room logging the doctor into every machine, every hour,” Rubin said. “Unbelievable.”

He declined to name the institutions he studied because to do so would violate his research agreements.

“The doctors and technicians I spoke with seemed mostly well aware that their systems are vulnerable,” said Rubin, who has previously found security problems in voting machines. He said that health care “is an industry with the least regard, understanding and respect for IT security of any I’ve seen, and they have some of the most personal and sensitive information of anyone.”

Another researcher, Tim Elrod, a consultant at FishNet Security, found vulnerabilities in a system that enables care providers using a Web browser to automatically dispense drugs from a secure cabinet produced by Omnicell.

Working with Stefan Morris, Elrod discovered that unauthorized users could sidestep the login and password page and gain control of a cabinet at a hospital run by Integris Health, the largest health organization in Oklahoma. They used a well-known hacking technique called a “forced browsing” attack.

“At that point, we had full administrative control,” Elrod said. “We could do anything.”

After being contacted by The Post, Peter Fisher, vice president of engineering at Omnicell, said he “is launching an immediate investigation into this reported vulnerability.” The same day, the company issued a software fix to customers around the globe.

“Omnicell is committed to delivering the highest level of data security to our customers as demonstrated by our regular release of software updates, which include security enhancements,” Fisher said.

John Delano, chief information officer for Integris, confirmed the Omnicell flaw and said his company last year disconnected it from any networks that might link to the Internet.

“Unfortunately, a lot of times you run into vendors who have poorly coded software,” Delano said. “That’s the case here.”

After an inquiry by The Post, a researcher at the University of Florida, Shawn Merdinger, found flaws in the use of wireless iPads by new medical residents at the University of Chicago medical center.

Merdinger found a manual for the iPad initiative posted online, publishing a single user name and password for all the residents to use a shared Dropbox account. The idea was to promote collaboration.

But the arrangement opened the medical center to “social engineering” attacks, where hackers plant documents, such as PDFs, that are loaded with malicious code. Once the documents are uploaded, the iPads could become infected, handing over control of hospital networks to hackers.

After The Post alerted the medical center, officials closed the gap.

“This Dropbox account was intended to be used only to share educational material among residents,” Cindy Kitching-Pena, director of the Department of Medicine Education Programs, said in a statement. “Nevertheless, the username and password to the account have been changed, and the account will be terminated.”

In February 2009, Congress mandated the widespread adoption of electronic health records (EHR) computer systems as part of the stimulus legislation known as the American Recovery and Reinvestment Act.

The law included as much as $36 billion in stimulus funding to promote the “meaningful use” of such systems. It was the Obama administration’s first big step toward health-care reform.

Since then, tens of thousands of doctors, hospitals and other health-care operations have received more than $8.1 billion in government payments, and they have begun using the systems to digitize and share millions of patients’ records in ways that proponents say will save billion of dollars and improve care.

The law required electronic health records systems to be certified by independent labs to meet an array of standards established by HHS, but those standards include few security provisions, according to documents and interviews.

Officials have known for years about vulnerabilities in the systems. In 2007, the eHealth Vulnerability Reporting Program, a group that included senior health-care officials, concluded that “commercial EHR systems are vulnerable to exploitation given existing industry practices” and that the “skill level required to exploit is low.”

Two years ago, Williams, the North Carolina State researcher, and her colleagues found common flaws in four systems that would expose users’ login information and enable outsiders to access patients’ records.

The group’s report urged rigorous security testing before electronic health record vendors could be certified for stimulus funding.

Federal officials have not gone that far, but Farzad Mostashari, the national coordinator for health information technology at HHS, said they “have taken important steps with vendors to make electronic health records more secure,” such as requiring encryption of data on laptops.

Among the systems that HHS has certified is OpenEMR, an open-source software developed by a nonprofit charitable group called OEMR. The software can be downloaded for free.

Williams’ group — along with several white-hat hackers — has found hundreds of vulnerabilities in the system.

OEMR’s leaders acknowledged the flaws but said it would take an experienced hacker to exploit them. Chief technology officer Kevin Yeh said his group fixes problems as soon as it learns about them and that other Web-based systems probably have the same weaknesses.

He added that federal certification standards “are not sufficient.”