Cy­ber­bat­tle

Providers work to pro­tect de­vices, pa­tients

Modern Healthcare - - Information Edge - Shawn Rhea

For more than two years now, the fed­eral agency that serves re­tired war­riors has been wag­ing its own bat­tle. Of­fi­cials at the Vet­er­ans Health Ad­min­is­tra­tion have been plac­ing cer­tain elec­tronic de­vices be­hind a so­phis­ti­cated web of pro­tec­tion in an ef­fort to fight off a grow­ing num­ber of cy­ber-attacks. The move, says Charles Gephart, di­rec­tor of the VA’s IT field se­cu­rity op­er­a­tions, is in­tended to pre­vent po­ten­tially life-threat­en­ing com­pro­mises to a host of clin­i­cal in­for­ma­tion and pa­tient-care de­vices.

As a part of the ef­fort, the VA’s IT staff has placed items such as glu­come­ters, imag­ing ma­chines, phar­macy dis­pens­ing cab­i­nets and pic­ture ar­chiv­ing and com­mu­ni­ca­tions sys­tems on their own net­work­ing sys­tems. By iso­lat­ing the de­vices from the hos­pi­tal’s main net­work, the VA hopes to pre­vent them from be­com­ing ac­ci­den­tally or pur­pose­fully con­tam­i­nated with com­puter viruses that, de­spite best ef­forts, slip through fa­cil­i­ties’ fire­walls.

The siz­able task re­quired the VA to cen­tral­ize its IT sys­tem across all pa­tient-care sites. The agency then cat­e­go­rized and grouped more than 50,000 med­i­cal de­vices based on their func­tions and man­u­fac­tur­ers and placed them on sep­a­rate vir­tual-lo­cal area net­works, or VLANs. The con­fig­ured net­works dis­con­nected the de­vices from the In­ter­net, dis­abling com­mu­ni­ca­tion with po­ten­tial hack­ers, but still al­lowed care­givers to re­motely ac­cess and monitor the de­vices. So far the ef­fort has paid off, Gephart says. “We’ve never had an is­sue where the in­tegrity of the sys­tem was com­pro­mised to the point that it had an ef­fect on pa­tient care. That’s what we’re try­ing to pre­vent,” he says.

Still, Gephart ac­knowl­edges that stay­ing a step ahead of cy­ber-at­tack­ers is no easy feat. The VA has de­tected mal­ware in 163 med­i­cal de­vices since of­fi­cials be­gan mon­i­tor­ing the prob­lem in Jan­uary 2009. “These can be any­thing from a mi­nor virus to the Con­ficker virus,” Gephart says. And while much of the fo­cus in health­care has been on pro­tect­ing pa­tients’ per­sonal in­for­ma­tion from hack­ers in­tent on iden­tity theft, among IT se­cu­rity ex­perts there is grow­ing con­cern over the po­ten­tial for pa­tient care to be com­pro­mised by ter­ror­ists in­tent on in­flict­ing harm and fear, or as a con­se­quence of an ac­ci­den­tal vi­ral in­fec­tion.

“It’s not just about peo­ple steal­ing pa­tient records; it’s also about the po­ten­tial for a ter­ror­ist at­tack,” says Greg Hoglund, CEO of the IT se­cu­rity firm HBGary. “Right now, there are lit­tle mal­ware time bombs that have in­fected all our sys­tems. Pri­mar­ily, they’re com­ing from peo­ple work­ing in East­ern Europe, Brazil and the Philip­pines who are fo­cused on profit, not ter­ror­ism. But they sell the info to peo­ple who want it, and now you have the abil­ity for a non­tech­ni­cal at­tacker to get into a sys­tem and cause other kinds of harm.”

That harm in­cludes the very real pos­si­bil­ity for cy­ber-at­tack­ers to pur­pose­fully or ac­ci­den­tally af­fect med­i­cal de­vices im­planted in pa­tients, used to monitor pa­tients, or to pro­vide care such as e-pre­scrib­ing and au­to­matic dis­pens­ing of med­i­ca­tion. “In some cases, there may be a prob­lem that is so sub­tle we don’t even no­tice it,” says Gephart of the chal­lenges med­i­cal providers face in deal­ing with po­ten­tial sab­o­tage of de­vices. “But that could be a prob­lem be­cause we don’t know what that virus is do­ing, and with a med­i­cal de­vice, if the func­tion is off by just a cou­ple of de­grees that can be an is­sue.”

Al­ready there have been har­bin­gers of the grow­ing cy­berthreat. In mid-2009, hos­pi­tals in the U.S. and other parts of the world dis­cov­ered that imag­ing ma­chines and other med­i­cal de­vices con­nected to the In­ter­net had be­come in­fected with the dreaded Con­ficker virus.

Con­ficker at­taches it­self to Mi­crosoft Win­dows op­er­at­ing sys­tems that have not re­ceived a se­cu­rity patch against the virus. Once at­tached, the virus pro­gram pe­ri­od­i­cally con­nects to the In­ter­net for di­rec­tions from its in­ven­tor. Those di­rec­tions re­write Win­dows, caus­ing op­er­at­ing prob­lems in the var­i­ous de­vices that use the sys­tem.

A num­ber of med­i­cal de­vices use Win­dows op­er­at­ing sys­tems, and ac­cord­ing to David Finn, a health IT of­fi­cer with the technology se­cu­rity firm Sy­man­tec Corp., his com­pany heard from clients whose phar­macy dis­pens­ing cab­i­nets locked up or im­prop­erly recorded in­for­ma­tion as a re­sult of be­ing in­fected with the Con­ficker virus. “And it was not with just one man­u­fac­turer,” says Finn of the va­ri­ety of dis­pen­saries in­fected with the virus.

This past July, Kern Med­i­cal Cen­ter, Bak­ers­field, Calif., was hit by a com­puter virus that tem­po­rar­ily shut down the 172-bed hos­pi­tal’s EHR sys­tem and forced med­i­cal staff to use paper records. It took of­fi­cials roughly two weeks to cor­rect the prob­lem and get the EHR sys­tem back on­line, ac­cord­ing to news re­ports.

But a re­cent ex­per­i­ment con­ducted at the Uni­ver­sity of Read­ing in Eng­land has pro­vided a view to­ward just how se­ri­ous a threat cy­ber­at­tacks on med­i­cal de­vices could be. In May 2010, Mark Gas­son, a se­nior re­search fel­low at Read­ing’s School of Sys­tems En­gi­neer­ing, proved he was able to in­fect a se­cu­rity chip im­planted in his hand with a virus. Gas­son uses the chip to ac­cess his cell phone and build­ings on the uni­ver­sity’s cam­pus.

For the ex­per­i­ment, Gas­son pro­grammed a virus into a se­cu­rity ac­cess sys­tem that his chip typ­i­cally in­ter­acts with. Gas­son found that the virus not only trans­ferred to his chip when he tried to gain ac­cess to the se­cu­rity sys­tem, but also to other com­puter sys­tems with which the chip later came into con­tact. “The im­plant I have is sim­i­lar to the (ra­dio fre­quency iden­ti­fi­ca­tion) al­ready in use, and it could be a sort of core technology that is used” in equip­ment that mon­i­tors pa­tients, Gas­son says. “We al­ready have pace­mak­ers with wire­less con­nec­tiv­ity that al­lows doc­tors to monitor their pa­tients

re­motely,” he adds. “We tend to find that these de­vices don’t have any se­cu­rity con­trols, so if you have ac­cess to it, you change the set­tings.”

Such es­ca­lat­ing prob­lems prompted the UC Davis Health Sys­tem, Sacra­mento, Calif., to hold a health­care cyberterrorism sem­i­nar in Au­gust in hopes of pre­par­ing health­care providers to bet­ter han­dle what many IT ex­perts ex­pect to be­come in­creas­ingly so­phis­ti­cated attacks. “The mes­sage dur­ing the con­fer­ence was that health­care is a soft tar­get” for hack­ers, says Peter Yel­lowlees, di­rec­tor of the UC Davis health in­for­mat­ics grad­u­ate pro­gram.

A sur­vey re­leased in Novem­ber by the Health­care In­for­ma­tion and Man­age­ment Sys­tems So­ci­ety hinted at the health­care in­dus­try’s lag­ging in­vest­ment in IT se­cu­rity. Ac­cord­ing to the find­ings, 33% of physi­cian prac­tices and 14% of hos­pi­tals re­spond­ing to the sur­vey say they don’t per­form se­cu­rity risk anal­y­sis.

Austin Ber­glas, a su­per­vis­ing spe­cial agent with the Fed­eral Bureau of In­ves­ti­ga­tion’s New York City cy­ber branch of­fice, says he’s not sur­prised by health­care’s lack of in­vest­ment in IT se­cu­rity, but that it cre­ates a highly prob­lem­atic se­cu­rity risk.

Im­ple­ment­ing a solid IT se­cu­rity sys­tem de­mands a num­ber of costly steps. The cost varies with the size of the health­care provider, say IT se­cu­rity ex­perts, but it could eas­ily run a mid­size hos­pi­tal six fig­ures an­nu­ally.

Ber­glas says providers would rather spend money on di­rect pa­tient care. But, he ar­gues, ig­nor­ing the threat can put pa­tients at risk. “Ev­ery­body spends what they want to spend on IT un­til there’s a breach, and then they want to dump money to­wards it. But, by then it’s too late be­cause it’s much more costly to fix a prob­lem.”

But find­ing money to put up fire­walls, con­struct VLANs and take other steps against cy­ber­at­tacks isn’t health­care providers’ only chal­lenge. Once se­cu­rity breaches to med­i­cal de­vices are dis­cov­ered, man­u­fac­tur­ers are un­able to dis­trib­ute se­cu­rity patches with­out un­der­go­ing re­views of the changes by the Food and Drug Ad­min­is­tra­tion. That typ­i­cally means a lag of three months be­tween the time a se­cu­rity patch is de­vel­oped and made avail­able to health­care providers, say health­care IT-se­cu­rity ex­perts.

Bernie Liebler, di­rec­tor of technology and reg­u­la­tory af­fairs for the Ad­vanced Med­i­cal Technology As­so­ci­a­tion—a lob­by­ing group for med­i­cal de­vice man­u­fac­tur­ers—notes reg­u­la­tory agen­cies are in the early stages of ad­dress­ing cy­ber­se­cu­rity as it re­lates to med­i­cal de­vices. “The FDA’s mis­sion is to ap­prove and clear de­vices depend­ing on their safety and ef­fec­tive­ness,” he says. “So far, they haven’t taken on the task of cy­ber­se­cu­rity.

“But I don’t think any in­dus­try is where it would like to be in terms of IT se­cu­rity,” he adds. “I think the whole world needs to play catch up in this area.”

Bar-cod­ing equip­ment, which helps to en­sure pa­tients are get­ting the cor­rect medicines, are one of many de­vices the VA hopes to pre­vent from be­ing in­fected with viruses.

A chip (shown next to a grain of rice) im­planted in Gas­son’s hand was in­fected with a virus.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.