Disclaimer: don’t read this if you don’t want your sense of security involving medical information shattered. This post is based on a Skytalk presented at Def Con 27. The presenter opted to redact their name for privacy concerns. What made this talk quite startling was the fact that the presenter supports over 25 hospitals around the US and has insight of just how poor information systems security is within these hospital environments. Due to the nature of these talks, recordings are prohibited, and I didn’t want to get kicked out, so I avoided taking notes as well just in case. This semi ties into a past post I wrote pertaining to poor medical device security and another follow up post about what the industry is doing about it.
That said, if you want to learn more about an insider’s perspective into the horror stories within the medical industry, read on.
A Barrage of Issues
Hearing all that was said was quite terrifying, from password concerns to the sheer number of internal vulnerabilities detected, I was simply astonished at the words coming from the speaker. What was more than that, however, was upper managements lack of interest in corrective action. Stick with me while I go through the points discussed and what solutions were proposed but not implemented.
For starters, a huge concern was the operating systems in use within the hospitals the speaker supported. He stated that DOS was still being used and he was the only employee on his team who even knew what DOS was. Not to mention the continued use of Windows XP, NT, and 95 – now if that doesn’t date a few things, I am not sure what will. These are machines handling personal health information, where critical vulnerabilities are publicized with no available patches or fixes are available for these unsupported systems. What’s even more crazy was a “new” robot that was in charge of provisioning medicine – it, too, ran on DOS!
If you’re curious of release dates, check out this Wikipedia page discussing Windows version and their release dates. On that same note, and one of the most alarming points made, was that on average, his internally ran vulnerability scans results in over 300 critical vulnerabilities! You read that right, yes this is on average.
Next off was poor password practices. From weak passwords just barely satisfying password policies, to doctors openly sharing passwords with staff members, it’s almost as if anyone could access a patient’s health information masked as a doctor. The speaker stated that it wasn’t uncommon for nurses to know the password of at least three doctors they worked with. There were network devices that didn’t even have a password! We all know what can happen with compromised passwords, or even a lack of a password – yikes!
To make matters worse, I forget the password solution used in his supported hospitals, but it was something along the lines of “SSGP” or similar. What I know is that it was four characters and started with “SS”. The point is, this speaker was part of a hacker group and this group discovered a vulnerability but opted to not disclose this vulnerability. The speakers dire warning was, “all medical staff should change their passwords, immediately!” Think about that for a moment; a password solution with an undisclosed vulnerability – I’ll tie these password points in later, keep reading.
Another alarming act was his attempt at personally lockpicking doors protecting secure areas. He mentioned one such incident where two or three people approached him stating, “What you’re doing is pretty shady.” The speaker replied, “I know, you’re right. What I am doing is shady.” He said that after three hours, no one reported him, nor did security confront him. The speaker was able to break his way into network closets, where equipment was essentially wide open and was able to set up rogue access points, as well as scan the network. Mind you he was doing this in an attempt to check what security measures were in place.
One observation the speaker made was the sheer amount of bacteria and mold growing on this network equipment. He showed pictures he took of Ethernet cables and switches caked with molasses and other icky stuff – ewww.
Wow is really all I can say. That was astonishing and to be honest, it was tough to admit and see truth in his alleged statements. However, what made me believe his story more than anything was his interest in his and his father’s medical conditions. One day he got curious due to the number of hospital visits the two make. When he started poking, he went full throttle to see just how poor security measures are.
Enough Scary Talk, Proposed Solutions
In reading the above section, you should know by now what some proposed solutions would be. Examples include not sharing your password, enabling passwords for that matter, and using currently supported operating systems, as well as ensuring physical security is a thing. If you weren’t thinking of those, now you know.
Past that, and what actually seemed to be a fair solution to avoid a lot of the above: mobile medical units.
The speaker started off by saying mammograms are mobile, and that there should be an effort in mobilizing other critical devices. Get everything mobilized and “…start treating patients in-house, where they’re most comfortable.” That really stuck out to me. There’s always been a notion of making patients most comfortable and the truth is, often times, being at home is what’s most comfortable.
I am sure there are more logistics behind that statement, which leads to a desire for expanded conversations on how to go about mobilizing medical staff. It seems semi-feasible, but I also know that there are a lot of varying illnesses and it kind of makes it seem infeasible at the same time. I’m no medical expert so I can’t speak too much on this.
Tying in the Loose Ends
Above I left the password talk on a cliff hanger. Allow me to expand in this section.
The speaker stated the number of phishing attempts was simply overwhelming, and that there are many who fall prey. Two examples he gave were more recent: one being where a finance department personnel fell victim to a fraudulent invoice totaling $500,000 (that’s a lot of money), and the other was a critical ransomware attack (which started at $900,000 that the staff was able to work down to $500,000). The latter was facilitated by compromised passwords.
I’m not sure about you but I’ve received many fraudulent invoice requests of varying amounts. It’s easier for me to disregard because I know I am not in the position to handle such matters. The same cannot be said for the one who fell victim though. That said, and with such a large sum of money, employees shouldn’t blindly pay anything without checking the records. There should be a way to validate such invoices and I find it hard to believe there isn’t some sort of paper trail regarding who the hospital does business with and what’s owed to whom. If this isn’t the case, paying an excessive amount of money for an untraceable invoice is an expensive fault that needs correction.
As for the latest ransomware attack – this started Monday, August 5th, the week of Black Hat / DefCon. He got into town that night, went to sleep and was awoken early Tuesday morning with reports of a ransomware attack. Immediately he told the caller to ensure all passwords were changed and what to expect. The backups were too old – tsk, tsk – so they were left with no choice but to negotiate and pay. The staff did this, yet they failed to change their passwords! After forking out $500k, they were hit again with the same attack Thursday of that same week because they didn’t change their passwords! Imagine that. And to make it worse, the staff agreed to change their password this time…. but opted to wait until the following week to do so.
Did they? I am not sure but waiting is such a silly thing to do.
This all leads back to user training. All personnel should be trained on how to look out for phishing emails and other unsolicited emails claiming a lack of payment. The same applies with passwords uses. Reusing passwords is a no-no and with all that was said above, multi-factor authentication would definitely be worth the cost. With these two examples, that’s a fair sum of money paid, and you’d figure that change would be expected.
I would be lying if I said I’d feel comfortable going to a doctor and feeling my personal health information is safe. Obviously when you’re in a critical condition it may not mean as much at that time, your life is on the line after all, but it’s still a scary thought to know the gravity of just how poor hospital security allegedly is. Further, with the HIPAA violation costs, the speaker stated that hospitals are more prone on not reporting breaches and thus not getting fined. Again, these are all allegations and all I am doing is summarizing what was reported.
Tying in the whole medical device concerns with this development, change is in order. With personal information being publicized on the dark web and accessible by other threat actors, there’s no telling what they may do with that information. There was a lot more that was said in this talk and what I wrote was merely a glimpse. It’s difficult to ensure your personal information is safe when you’re not the one responsible for keeping it safe. The truth is, it’s the doctors’ responsibility along with the medical staff and the IT team of said hospitals.
Adam Hawk says
I worked as “The IT Guy” in several medical facilities, back in the 80’s and 90’s, in South America. Compound what you saw during that presentation with the crude fact that most health care facilities in the third world rely on second-hand equipment, with zero support (other that reactives, or basic supplies).
At the time, permanent connection to the Internet was just unaffordable for those facilities, so the most pressing concern was physical security, or equipment failure.
Fast forward to the 2000-2015 period, where I worked here in the US for an entity heavily involved in the blood supply for hospitals. The software was so outdated, the security practices were so weak, that the FDA got involved.
It does not surprise me what was presented. Usually the blame goes to the low level staff, when doctors are the first ones sharing passwords, so the assistants do everything without they leaving their chairs. Also, how millions are spent on equipment, without basic certification of security? Can donors to health care institutions use their leverage to force some improvements? Can patients?
A scene from “The Net” back in 1995 showed someone being killed by altering the patient record and issuing an order to inject insulin. At the time it seemed far fetched, Today, it may be happening very frequently and we may not notice.
Emil Hozan says
Thank you for reading and engaging with this post! I also appreciate the insight offered through your experiences as well.
I extend your concerns about the millions being spent on medical devices and needing to have the FDA intervene for poor security practices. Further, you are correct that donors and patients hold power. The only counter to from a patient’s perspective is they’re in critical condition and their life is on the line, some don’t care what has to get done to help them in that situation. Donors do hold the influence since they’re providing funds to the facility, having some security standard in place to hold companies accountable against is a great start.