Healthcare has the Most Difficult Privilege Problem to Solve
On the black market, a full identity profile contained in a single Electronic Medical Record (EMR) can bring as much as $500, according to Politico. HIMSS Analytics reported in June that 83 percent of healthcare organizations use the Cloud to store EMRs. Meanwhile, SANS reported that nearly 50,000 malicious events were recorded between September 2012 and October 2013. And last week, the personal information for 1.3 million people was compromised from a hacked server in Montana’s Department of Public Health infrastructure.
The healthcare industry is a prime target for advanced attacks given the vast repositories of very personal information every hospital maintains. What’s reported in the news are mainly breach events, however, a very thorough study was conducted by Essentia Health that dives into problem diagnosis.
Scott Erven, manager of Information Security at Essentia Health, was given free rein to roam through all of the medical equipment used at a large chain of Midwest healthcare facilities. The study spanned two years, and Erven and his team found, “drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”
How is this possible? In his research, Erven found three prominent security holes across the healthcare facility’s networks and devices:
- Lack of authentication to access or manipulate the equipment
- Weak passwords or default and hardcoded vendor passwords (privileged accounts) like “admin” or “1234″
- And embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network
The most startling discovery Erven’s team made is how unaware of these major security issues hospitals, healthcare organizations and medical technology vendors seem to be. According to Erven, “vendors don’t have any type of security programs in place, nor is it required as part of pre-market submission to the [Federal Drug Administration].”
The healthcare industry, as a whole, must wake up to the power of privilege and understand the dangers these accounts pose. Discovering, managing and protecting this critical security layer is a must for the industry or the safety of patients and the reputation of the organization could very well suffer.