As I sat waiting on the examination table to begin my annual physical, I browsed the Internet from my iPhone on the office’s FREE Wi-Fi. At the time I thought, this is the worse, but then I heard screaming from a nearby room. My doctor walked into my room prepared and ready to go with a series of questions to determine my reason for coming in. I immediately started to wonder if paying $35.00 for 5 questions was worth it. After that fun exercise, I proceeded to browse the Internet again when I noticed items that had me concerned about my well-being at my doctor’s office. The things I noticed lead me to believe that my doctor was trying to kill me (unintentionally, of course).
As I sat there assessing the office’s security posture, I noticed that the application used to update patient records, the X-ray machine and other important equipment were ALL running Windows XP Professional SP1, which is riddled with vulnerabilities. In addition, an unencrypted external storage device and HP print server were screaming for someone to connect to them. These devices were both communicating over an open Wi-Fi that broadcasted its Service Set Identification (SSID) to everyone. Just when I thought it could not get any worse, it did!. There wasn’t any logical or physical separation between the WIRED and Wi-Fi networks for the doctor’s office (connect to one, get ALL). Since IT security assessments are what I do daily, I immediately started to feel uncomfortable. After discussing my concerns with the doctor, they allowed me to investigate a bit further (with the appropriate documentation/signature of course).
A deep dive of the findings revealed:
- Desktops and laptops were running Windows XP SP1, for which the support ended in April 2014. Fyi -We are in 2016.
- Windows XP was riddled with zero day vulnerabilities (zero fix in sight).
- External storage media used Windows workgroups access control, which manages share folders (no password required).
- External storage had built-in Wi-Fi running a Web Portal to manage the device that stored backups of medical records, prescription and financial data.
- No system or security audits are enabled on Windows nor is anyone monitoring them.
- No logical or physical separation of WIRED and Wireless networks.
- Broadcasting of SSID for secure Wi-Fi connection and print server.
- The use of Wired Equivalent Privacy (WEP) encryption which can be easily hacked.
- Both guest and office uses the same network sub-net as the office workstations.
- No rules of behavior for the office employees.
They’re Doctors not Security Professional and rightly so.
At first I had to remember to “CALM DOWN!” The doctor’s office follows the Health Insurance Portability and Accountability Act (HIPAA) of 1996 right???? For those that don’t know, HIPAA includes a set of provisions called Administrative Simplification that is aimed at improving efficiencies of the health care systems to include:
“Standardized electronic transmission of common administrative and financial transactions (such as billing and payments).
Unique health identifiers for individuals, employers, health plans, and heath care providers.
Privacy and security standards to protect the confidentiality and integrity of individually identifiable health information” (Department of State Health Services, 2010).
However, IT security is not a direct requirement of HIPAA. Upon further discussion with my doctor, I learned of even more vulnerabilities, such as the lack of system and network baseline configurations. Not to say that baseline configuration is the end of the road…….but, seriously.
I hit the doctor with the vulnerabilities, impact and likelihood of a breach—one, two punch—in a scenario-based example. After releasing my findings to the doctor, I could see the blood faded from his face. I assured him that detecting vulnerabilities is easy; protecting is the challenging part.
What can an attacker do based on this Scenario-Based? Here is a few at a glance activities:
- Discover an open list of SSID’s and crack weak encryption key (WEP).
- Connect to the network and sniff traffic.
- Fingerprint and patch level of Operating System (OS) before attacking them.
- Run vulnerability scan toolset (they are easy to acquire) to see vulnerability within various aspects of hardware and software to exploit them.
- Crack accounts with administrator credentials to hook into applications.
- Extract data from network shares and critical data storage.
- Cover his/her tracks to continue to harvest patient’s data.
Another alarming concern is that the attacker could increase/decrease the prescription dosage of a patient’s medication or modify test results for incorrect prescription/testing recommendations from the doctor in order to cause harm. As a result of inappropriate modifications, the doctor may prescribe a lethal dose of medication and/or conduct an incorrect procedures on his/her patients. Upon learning about the risk to the office, my doctor shared the findings with his Information Technology (IT) group to address the various risks and vulnerabilities.
What I found is that medical providers are more concerned with the accuracy/timing of test result data while equipment vendors are more concerned with the sale of the latest types of medical tests/new equipment (i.e. IT equipment). Some organizations are not as concerned with IT security, which is weird if you think about it. Data integrity is critical because it relates to test results, but how reliable is the integrity and confidentiality when an attacker could modify anyone’s record without their knowledge due to vulnerability in the doctor’s systems?
Luckily for me, my doctor is AWESOME and had those issues resolved by my follow-up appointment. They even went a step further by implementing Active Directory (AD) for user account management, user IT security awareness training and full disk encryption to protect patient data stored on all office devices. Now, IT security is on the radar of the doctor’s office staff. So the next time you visit your doctor’s office, you may want to check to see if your doctor is trying to KILL YOU, TOO.
Security professionals, let’s help our doctors be SECURE in their practice. Let’s become the “IT Security COALITION of the WILLING.”
“HIPAA at DSHS.” Health Insurance Portability and Accountability Act (HIPAA) Home. Ed. DSHS. Texas Department of State Health Services, 1 Nov. 2010. Web. 10 Mar. 2014. https://www.dshs.state.tx.us/hipaa/