Stolen credit card credentials may have captured the headlines, but hackers are targeting medical information and device security on critical networks, says Avi Rubin, a professor of computer science at Johns Hopkins University.
The technical director of the Johns Hopkins University Information Security Institute talks with Marcus Ranum about a range of healthcare IT security issues, including the healthcare industry's ongoing efforts to work with manufacturers to design secure systems. As a member of the Trustworthy Health and Wellness (THaW) research program, Dr. Rubin is spearheading healthcare IT security projects at Johns Hopkins in implantable medical devices, mobile health and network security. He is also a managing partner and founder of Harbor Labs, which provides consulting in high-tech litigation.
Let's talk about computer security, medical devices and records! I know there's a lot of regulatory attention paid to aspects of this field, but I've always had the impression that it's a very different environment. There's a constant churn of high tech and a strong ideology of access to information everywhere. Do you think that medicine is really a very different problem-space for security, compared to say, retail? And why? Is it technology, culture, what?
Avi Rubin: Great question! Several aspects of healthcare IT distinguish it from other areas. One is that everybody interacts with the healthcare system. Unless you are one of those lucky few who never gets sick and never has checkups, you are going to have some of your medical information stored in a healthcare database. And so the privacy of medical information is a real fact of life for all of us.
The primary care providers -- doctors -- tend to be rather disinterested in technology and resistant to change in their IT environment. I've seen hospitals where a nurse is tasked with entering all of the doctors' passwords into the systems every hour so that their sessions do not time out. Also, healthcare is a field that is undergoing a rapid technological boom because of mandates from the government and advances in technology.
Finally, healthcare is a highly regulated environment in which medical devices must undergo all kinds of certifications and where personal information must be protected according to various laws [such as] HIPAA and the HITECH [Health Information Technology for Economic and Clinical Health] act.
One thing I hear a lot is that medical equipment can't be upgraded because of certification requirements, so there are lots of old systems on critical networks. Is that real or is that just an excuse? What needs to happen to improve that situation?
Avi Rubintechnical director, Johns Hopkins University Information Security Institute
Rubin: That is definitely the case, but I'm not sure it is attributable to the certification requirements or just to inertia. As I said earlier, doctors don't like to fix it if it ain't broke, and many doctors use the same outdated equipment they have reliably used for years.
That said, there are plenty of doctors who like to live on the cutting edge, and I don't think that the certification issues around medical equipment have kept those intrepid care providers from upgrading.
I agree with you that privacy of medical records is a concern, but to what degree do you think medicine has been spared the level of attack of, say, credit cards, because it's harder to monetize stolen patient records? I'm sure that to an insurer or an employer someone's medical records might be interesting, but other than that, are they worth stealing?
Rubin: Actually, there have been quite a number of incidents of stolen medical records and other data. I think the press is more focused on attacks that directly affect consumers, such as the Target breach that impacted over 100 million people. But, I believe that as more doctors move to digital records, and as more healthcare providers move information online, we are going to see a vast increase in the number of breaches that affect patient data.
Why would anyone care? It's kind of sick to think that anyone would care to steal our medical records. But there are documented cases of blackmail against people with sensitive medical information. Knowing that someone has a medical condition that might turn off a prospective employer, for example, can be valuable information in the hands of a criminal.
So what are you working on with regard to medical informatics? I recall, fondly, your work on electronic voting machines. Are you doing similar assessments of medical systems? What are you finding?
Rubin: I'm a member of the THaW team. We formed an NSF [National Science Foundation] center around a Frontier Science grant that we received last year. Our work spans several different areas of trustworthy health [information] including securing small health networks, implantable medical devices, mobile health and several other aspects of healthcare IT security. At Hopkins, we are working on several projects, including protecting security for patients with medical devices in their homes, such as infusion pumps. We are working at the hardware level to monitor medical devices and protect them from malware that attempts to change the behavior of the devices.
At present, our projects are more on the 'constructive' side, rather than destructive. Yes, it is fun to attack systems, such as voting machines, in the lab to test them for vulnerabilities, and I spend a good portion of my time doing that. But in the healthcare space, we are focused on designing systems that protect against hackers. I do think that our experience breaking other systems is very useful and informs many of our design decisions.
I agree that understanding how we fail is useful in building better systems. The usual complaint about that is that it slows development and makes things more difficult. Have you encountered pushback along those lines or are you finding medical equipment manufacturers get it?
Rubin: I find that there are different approaches and attitudes among device manufacturers. There is one gentleman at a major manufacturer who is very responsive and wants to work with academics. He cares a great deal about security and seems to be in a position of great influence. I have seen others, who do not share his enthusiasm for working with us.
Several 'attack' papers relating to medical devices have created factions in the manufacturing community. In some respects, the research has caused alienation that makes it difficult to work together. Others in the industry see the attack research as useful. After all, we want the good guys attacking the systems and publishing their findings. Otherwise, only the bad guys will know about the flaws.
Working in healthcare IT security is one of the more interesting and challenging areas I've ever encountered. There is never a dull moment, and the best part is that I feel that we are able to truly impact the world in a significant and noticeable way.
How is the poker going? [Avi is a serious competitive poker player.]
Rubin: Extremely well. I got to play against some top professionals in a game that was filmed for TV and will air sometime this summer, and I've also decided to play in a World Series of Poker event [this month] in Las Vegas. I'm beyond excited for that.
About the author:
Marcus J. Ranum, chief security officer of Tenable Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.