The healthcare sector is one of the most vulnerable to hackers due to lax information security and widespread software vulnerabilities, according to recent investigative report by the Washington Post. According to researchers, failures to fix software security flaws and practices that bypass basic network security measures put the industry far behind other sensitive sectors, despite the risk of exposing medical information to hackers.
"I have never seen an industry with more gaping security holes," Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, told the Post. "If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed."
Issues discovered by the Post include the use of vulnerability-ridden electronic health record (EHR) management software, internet-facing medical systems without security controls and a widespread neglect of best practices such as password management. In one clinic, for instance, a nurse was specifically tasked with keeping a doctor logged into every machine to save the physician time. Additionally, many device vendors discourage users from installing software updates, believing that changes cannot be made to FDA-approved systems.
"A lot of people are very confused about FDA’s position on this," John Murray Jr., a software compliance expert at the FDA, told the Post, noting that the FDA actually encourages practitioners to install vendor updates to the embedded software in medical devices.
The danger of coding errors
A series of reports have turned up vulnerabilities in devices such as defibrillators, insulin pumps and wireless glucose monitors, according to the Post. Security researchers Tim Elrod and Stefan Morris found vulnerabilities that would allow hackers to gain control of and dispense drugs from a secure electronic cabinet by using a forced browsing attack.
MIT Technology Review reported in October that medical devices, many of which are connected to an internal network that is itself connected to the internet, are becoming weighed down with malware. At Beth Israel Deaconess Medical Center in Boston, 664 pieces of equipment have been left running outdated software due to regulatory disagreements, and many must be taken offline to be cleaned of malware. The hospital's CISO described a frequent occurrence in which fetal monitors used for women with high-risk pregnancies were slowed down or unable to record data due to malware.
"I find this mind-boggling," Kevin Fu, a medical device security expert and computer science professor at the University of Michigan and the University of Massachusetts, Amherst, said, according to MIT Technology Review. "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches."
EHR data may also be at risk as hospitals increasingly put this information online. An open-source program called OpenEMR, which is set to be deployed by the U.S. Peace Corps, contains hundreds of vulnerabilities, according to a research team headed by Laurie Williams, a professor at North Carolina State University.
"There are basic, basic, Security 101 vulnerabilities we identified," she told the Post. "I’m concerned that at some point the hackers are really going to begin exploiting them. And that’s going to be a scary day."
Preventing security weaknesses
Researchers and healthcare industry experts noted that improvements are being made, but there is a long way to go. To begin with, vendors need to strengthen their coding practices, according to John Delano, CIO at Oklahoma healthcare provider Integris Health.
"Unfortunately, a lot of times you run into vendors who have poorly coded software," he told the Post.
Device manufacturers could reduce the number of errors in their software and catch vulnerabilities by using techniques such as source code analysis. By building analysis into the development process, vendors could also ease FDA compliance, removing many of the regulatory challenges that lead to malware and other exploits spreading.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.