Terrible infections, bad practices, unclean kit – welcome to hospital IT

Usenix Enigma When it comes to IT security, the medical world is by far the most inept at data security. So say top researchers at the first Usenix Enigma security conference, held this week in San Francisco.

"As a tester who has worked in many industries, healthcare is the absolute worst in terms of security," Avi Rubin, technical director of the Information Security Institute at the Johns Hopkins University in Maryland, told Enigma attendees.

"What makes that really worrying is that we all interact with healthcare, but their data security practices were so far below every other industry we saw."

Rubin was hired to examine the system security of six major US East Coast hospitals. He found a litany of basic errors putting patients' data, and in some cases actual lives, at risk. Part of the problem is that doctors are lousy at security – as long as no one dies then job done as far as they are concerned, Rubin said – but there were also serious systemic problems.

In one hospital, users would be logged out of their workstations if they left their machines idle, so the doctors told a junior nurse to go around their PCs one by one every so often and keep them logged in – leaving the system accessible to anyone at all times.

One hospital allowed over 8,000 staff at all levels access to every record the facility stored. Another allowed a medic to log into the hospitals servers on the same computer his kids used for games and downloads.

The most egregious case Rubin saw was an unsecured computer that spits out DVDs of X-rays for patients and doctors: a canny hacker could have slipped malware into every single disc.

A few simple security techniques could solve a lot of the IT problems hospitals are facing, he said. Multi-factor access controls, whitelisting of applications on medical devices, and database activity monitoring would bring a huge improvement.

Kevin Fu, director of the Archimedes Center for Medical Device Security at the University of Michigan, agreed, saying that it would be relatively simple to fix 90 per cent of the problems he sees in healthcare providers just by using common sense.

For example, he surveyed one hospital and found that the vast majority of computers in use were running Windows XP and hadn’t been patched since they had been bought – seven years in all.

When he did a network scan, he also discovered a Windows 95 machine that was running the MRI scanner. When he asked about this, it turned out it was impossible to run the MRI software on a newer operating system without replacing the entire scanner.

Kevin Fu and the pacemaker

Therein lies the problem, he said, in that the lead time for medical devices is so long that they are outdated in today's security terms. He showed off a pacemaker that had a debug routine that could interrupt a heartbeat and was open to anyone.

In some cases, medical devices themselves were a point of infection. One device manufacturer shipped out a malware-infected firmware update that contained 38 Trojans, which then spread throughout hospitals

"The situation is getting better," Fu opined. "I'm now seeing device manufacturers designing in security at the whiteboard stage. It took the medical profession over 100 years to accept that hand-washing by staff reduced deaths but front-end devices in hospitals should be much better in a few years." ®